Your server has been compromised
Reminder: You are the sole administrator of your VPS, and are therefore responsible for the actions performed on it. If your VPS is used by a third party without your knowledge (hack, password leak, etc.) you may be held responsible for the actions performed by them. If you suspect that access to your VPS has been compromised, it is imperative that you take appropriate measures to block this access.
Several elements can lead to the consideration that access to your server has been compromised. These may include :
Unauthorized access discovery following log analysis
Abnormal behaviors on your VPS (high CPU usage, large outgoing network flow, abuses, outgoing spam, etc)
A report from our technical support
Something you don't recognize on your VPS
Whenever one of these elements suggests that your access has been compromised, it is necessary to act very quickly in order to restore the situation. The actions generated by these compromised accesses can indeed be illegal (sending mass SPAM, use as VPN, phishing hosting, DDoS attacks, etc), or make your server unusable (use of very high CPU, preventing your VPS from functioning normally.
It is unfortunately very complex, if not impossible, to completely clean a server, and to ensure that no backdoor is still present, allowing the attacker to return to the server. It is therefore highly recommended to completely reinstall your VPS if you discover that it has been compromised.
If you don't have the possibility to reinstall the server immediately, we recommend the following actions:
You can very easily list the current processes with the following command:
You will then get a list of all processes active on the VPS. If some of them seem abnormal to you, you can easily check the path of the concerned file to take the necessary actions.
You can also install the htop package, to see some information about your VPS, and list them in order of CPU consumption.
You can exit HTOP by pressing F10 or Ctrl+C
The "clamav" package allows you to easily scan your VPS files for known malware or backdoor. It can be used in a very simple way:
This will launch a scan of all the files in the VPS, and will list the files considered dangerous. Note that this scan may take several minutes (or hours) depending on the amount of data in your VPS, and your offer.
We invite you to quickly follow our guide **Increase server security**, in order to avoid new illicit accesses to your VPS.
Several elements can lead to the consideration that access to your server has been compromised. These may include :
Unauthorized access discovery following log analysis
Abnormal behaviors on your VPS (high CPU usage, large outgoing network flow, abuses, outgoing spam, etc)
A report from our technical support
Something you don't recognize on your VPS
Whenever one of these elements suggests that your access has been compromised, it is necessary to act very quickly in order to restore the situation. The actions generated by these compromised accesses can indeed be illegal (sending mass SPAM, use as VPN, phishing hosting, DDoS attacks, etc), or make your server unusable (use of very high CPU, preventing your VPS from functioning normally.
It is unfortunately very complex, if not impossible, to completely clean a server, and to ensure that no backdoor is still present, allowing the attacker to return to the server. It is therefore highly recommended to completely reinstall your VPS if you discover that it has been compromised.
If you don't have the possibility to reinstall the server immediately, we recommend the following actions:
1/ Check current processes
You can very easily list the current processes with the following command:
root@Helpdesk:~# ps auxYou will then get a list of all processes active on the VPS. If some of them seem abnormal to you, you can easily check the path of the concerned file to take the necessary actions.
You can also install the htop package, to see some information about your VPS, and list them in order of CPU consumption.
root@Helpdesk:~# apt-get install htoproot@Helpdesk:~# htopYou can exit HTOP by pressing F10 or Ctrl+C
2/ Run an antivirus scan on the VPS
The "clamav" package allows you to easily scan your VPS files for known malware or backdoor. It can be used in a very simple way:
root@Helpdesk:~# apt-get install clamavroot@Helpdesk:~# freshclamroot@Helpdesk:~# clamscan -r --bell -i /This will launch a scan of all the files in the VPS, and will list the files considered dangerous. Note that this scan may take several minutes (or hours) depending on the amount of data in your VPS, and your offer.
3/ Make your VPS more secure
We invite you to quickly follow our guide **Increase server security**, in order to avoid new illicit accesses to your VPS.
Updated on: 22/05/2023
Thank you!