
If your VPS is behaving strangely, running slow, or using more resources than expected, it could be compromised. Hereβs a simple step-by-step guide for Hosteons clients to help detect common signs of infection or unauthorized access.
β Step 1: Check for Unusual CPU or Memory Usage
Start by checking if any process is consuming excessive resources:
top
or use:
htop
Look for unfamiliar processes, especially those using a high percentage of CPU or memory.
π§ Step 2: Check for Unknown Network Connections
You can inspect open ports and active connections with:
ss -tulnp
Also try:
netstat -antup
Check for unknown IP addresses or ports your VPS shouldnβt be using (e.g., cryptomining pools, spam servers, etc.).
π Step 3: Scan Running Processes
List all processes with their command line details:
ps auxf
Watch for suspicious scripts, base64-encoded strings, or unfamiliar binaries.
π Step 4: Check for New or Unauthorized Users
List all users:
cat /etc/passwd
Check recent logins:
last
Or failed login attempts:
grep "Failed password" /var/log/auth.log
Watch for users or login attempts you donβt recognize.
π΅οΈ Step 5: Inspect Cron Jobs & Scheduled Tasks
Malware often installs cron jobs to maintain persistence:
crontab -l
ls -la /etc/cron*
Look for unusual scripts or scheduled commands.
π Step 6: Scan for Malware
Install and run a malware scanner like Chkrootkit or ClamAV:
Chkrootkit:
apt install chkrootkit # Debian/Ubuntu
chkrootkit
ClamAV:
apt install clamav
freshclam
clamscan -r /
These tools help detect rootkits, backdoors, and trojans.
π Step 7: Check for Suspicious Files
Search for recently modified or hidden files:
find / -type f -mtime -2
find / -name ".*" -type f
Look especially in /tmp, /var/tmp, or /dev/shm β common hiding places for malicious scripts.
π Step 8: Check System Logs
Scan through /var/log/syslog, /var/log/auth.log, and /var/log/messages for any strange activity.
Example:
less /var/log/auth.log
Use grep to search for specific keywords like root, sudo, fail, etc.
π¨ What to Do If You Suspect a Compromise
If you suspect your VPS has been compromised:
1. Disconnect from the internet (disable the network interface).
2. Back up important data (be cautious with infected files).
3. Open a support ticket with Hosteons: https://my.hosteons.com
4. Consider wiping and reinstalling the OS for full peace of mind.
5. Change all relevant passwords and SSH keys.
π§― Prevention Tips
β’ Use strong passwords and SSH keys
β’ Keep your software and OS updated
β’ Disable root login and use a non-root user with sudo
β’ Set up a firewall like ufw
β’ Regularly monitor your server
Stay secure,
The Hosteons Team