πŸ›‘οΈ How to Check If Your VPS Is Compromised or Infected

If your VPS is behaving strangely, running slow, or using more resources than expected, it could be compromised. Here’s a simple step-by-step guide for Hosteons clients to help detect common signs of infection or unauthorized access.


βœ… Step 1: Check for Unusual CPU or Memory Usage

Start by checking if any process is consuming excessive resources:

top

or use:

htop

Look for unfamiliar processes, especially those using a high percentage of CPU or memory.


🧠 Step 2: Check for Unknown Network Connections

You can inspect open ports and active connections with:

ss -tulnp

Also try:

netstat -antup

Check for unknown IP addresses or ports your VPS shouldn’t be using (e.g., cryptomining pools, spam servers, etc.).


πŸ” Step 3: Scan Running Processes

List all processes with their command line details:

ps auxf

Watch for suspicious scripts, base64-encoded strings, or unfamiliar binaries.


πŸ” Step 4: Check for New or Unauthorized Users

List all users:

cat /etc/passwd

Check recent logins:

last

Or failed login attempts:

grep "Failed password" /var/log/auth.log

Watch for users or login attempts you don’t recognize.


πŸ•΅οΈ Step 5: Inspect Cron Jobs & Scheduled Tasks

Malware often installs cron jobs to maintain persistence:

crontab -l
ls -la /etc/cron*

Look for unusual scripts or scheduled commands.


🐚 Step 6: Scan for Malware

Install and run a malware scanner like Chkrootkit or ClamAV:

Chkrootkit:

apt install chkrootkit   # Debian/Ubuntu
chkrootkit

ClamAV:

apt install clamav
freshclam
clamscan -r /

These tools help detect rootkits, backdoors, and trojans.


πŸ“ Step 7: Check for Suspicious Files

Search for recently modified or hidden files:

find / -type f -mtime -2
find / -name ".*" -type f

Look especially in /tmp, /var/tmp, or /dev/shm β€” common hiding places for malicious scripts.


πŸ“œ Step 8: Check System Logs

Scan through /var/log/syslog, /var/log/auth.log, and /var/log/messages for any strange activity.

Example:

less /var/log/auth.log

Use grep to search for specific keywords like root, sudo, fail, etc.


🚨 What to Do If You Suspect a Compromise

If you suspect your VPS has been compromised:

1. Disconnect from the internet (disable the network interface).

2. Back up important data (be cautious with infected files).

3. Open a support ticket with Hosteons: https://my.hosteons.com

4. Consider wiping and reinstalling the OS for full peace of mind.

5. Change all relevant passwords and SSH keys.


🧯 Prevention Tips

β€’ Use strong passwords and SSH keys

β€’ Keep your software and OS updated

β€’ Disable root login and use a non-root user with sudo

β€’ Set up a firewall like ufw

β€’ Regularly monitor your server


Stay secure,

The Hosteons Team

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.