Article overview

Help article

What can I do about abuse originating from my VPS?

Abuse originating from a VPS comes in lots of shapes and sizes. Therefore the solution to solve this abuse problem can differ per OS, software or type of abuse. Because of this enormous diversity it is impossible to handle every possible solution. However, based on the information listed below, you can find suggestions on how to find the cause of this abuse and measures to prevent it.

There are several common forms of abuse listed below:

 



Spam

 

You can find more information on how to find / resolve spam on a VPS here. The most common cause by far, are spamscripts injected via an exploit (usually in a popular CMS such as WordPress, Joomla, Drupal etc.) into the VPS.

How can I prevent this from happening?

  • Make sure your CMS (and plugins) are always updated to the latest version. For older version vulnerabilities are almost always known!
  • Make sure you don't download themes and plugins from unknown websites. It's not uncommon if a "free" download of a normally paid addon is infected with malware.
  • Use a plugin such as WordFence to improve the security of your WordPress-website. For Joomla you can look at Securitycheck as a possible addon.
  • If you are not using any mail forms on your website: disable PHPmailer. Or disable mailing via port 25 for websites.
  • If you do want to use PHP mail forms on your website, make sure the 'TO:' mail address can not be altered directly. Otherwise you enable visitors to start spamming directly from that form.
  • For any form of website related abuse it's very important to have the right file permissions set. Almost every framework & CMS has a list of recommended permissions. By using these recommended permission you can prevent vulnerabilities from being used to alter core files of a framework.
  • Run a frequent scan with tools such as ClamAV or Linux Malware Detect (LMD) to detect malware on your server as soon as possible. You could plan these scans in a cronjob for example.
  • Use our VPS Mailservice so outgoing spam is already filtered / blocked before being sent to the Internet.
  • To prevent malicious use of your mail address due to your password being obtained, never use a connection without SSL (in that case your password will be sent in plain text) and always choose a strong password.

 



Outgoing bruteforce attacks

 

These attacks are often performed by malware placed on exploited installations of WordPress or Joomla (and are often focused on other WordPress installations). Another possibility is that vulnerabilities have been used by malware or a compromised root-user (for example because a weak root-password has been bruteforced.

Usually the cause can be found by checking all the current processes via ps aux | less. If a strange or unknown process is shown in that list, you can use lsof -p $processid to see which files are opened by this process. In this command you replace '$processid' by the process ID in the 'ps aux' output.

How can I prevent this from happening?

  • Make sure your CMS (and plugins) are always updated to the latest version. For older version vulnerabilities are almost always known!
  • Make sure you don't download themes and plugins from unknown websites. It's not uncommon if a "free" download of a normally paid addon is infected with malware.
  • Use a plugin such as WordFence to improve the security of your WordPress-website. For Joomla you can look at Securitycheck as a possible addon.
  • For any form of website related abuse it's very important to have the right file permissions set. Almost every framework & CMS has a list of recommended permissions. By using these recommended permission you can prevent vulnerabilities from being used to alter core files of a framework.
  •  
  • Run a frequent scan with tools such as ClamAV, rkhunter, chrootkit or Linux Malware Detect (LMD) to detect malware on your server as soon as possible. You could plan these scans in a cronjob for example.
  • Update your software and the OS itself often!
  • Disable unnecessary ports and services in the firewall of your OS, for both incoming and outgoing traffic. When you are only using your VPS to host a webserver and don't use mail or SSH, there is no reason to have these services active and the corresponding ports opened. If a port is closed, any service using that port can not be abused by malicious outsiders. It's therefore important to check which services and ports are exactly required for the purposes of your VPS. For simplifying the management of the firewall, you can look at tools such as CSF (ConfigServer Security Firewall).
  • Use strong and hard to guess passwords and disable root access via SSH. A lot of our default installations already have root access disabled for security reasons. Also changing the default port of SSH and other vulnerable services, will improve the security of your server.

 



Phishing

 

In most cases of phishing websites / pages on your VPS, the cause lies in an infected installation of WordPress, Joomla or another popular CMS. Almost every time a known exploit is misused by malicious outsiders to place these phishing pages on your VPS.

How can I prevent this from happening?

  • Make sure your CMS (and plugins) are always updated to the latest version. For older version vulnerabilities are almost always known!
  • Make sure you don't download themes and plugins from unknown websites. It's not uncommon if a "free" download of a normally paid addon is infected with malware.
  • Use a plugin such as WordFence to improve the security of your WordPress-website. For Joomla you can look at Securitycheck as a possible addon.
  • For any form of website related abuse it's very important to have the right file permissions set. Almost every framework & CMS has a list of recommended permissions. By using these recommended permission you can prevent vulnerabilities from being used to alter core files of a framework.
  • Run a frequent scan with tools such as ClamAV or Linux Malware Detect (LMD) to detect malware on your server as soon as possible. You could plan these scans in a cronjob for example. When you find the content on your server, you can remove this via (s)FTP or the command line.

 



Malware

 

In most cases of malware being spread from your VPS, the cause lies in an infected installation of WordPress, Joomla or another popular CMS. Almost every time a known exploit is misused by malicious outsiders to place this malware on your VPS.

How can I prevent this from happening?

  • Make sure your CMS (and plugins) are always updated to the latest version. For older version vulnerabilities are almost always known!
  • Make sure you don't download themes and plugins from unknown websites. It's not uncommon if a "free" download of a normally paid addon is infected with malware.
  • Use a plugin such as WordFence to improve the security of your WordPress-website. For Joomla you can look at Securitycheck as a possible addon.
  • For any form of website related abuse it's very important to have the right file permissions set. Almost every framework & CMS has a list of recommended permissions. By using these recommended permission you can prevent vulnerabilities from being used to alter core files of a framework.
  • Run a frequent scan with tools such as ClamAV or Linux Malware Detect (LMD) to detect malware on your server as soon as possible. You could plan these scans in a cronjob for example. When you find the content on your server, you can remove this via (s)FTP or the command line.
  • Disable unnecessary ports and services in the firewall of your OS, for both incoming and outgoing traffic. When you are only using your VPS to host a webserver and don't use mail or SSH, there is no reason to have these services active and the corresponding ports opened. If a port is closed, any service using that port can not be abused by malicious outsiders. It's therefore important to check which services and ports are exactly required for the purposes of your VPS. For simplifying the management of the firewall, you can look at tools such as CSF (ConfigServer Security Firewall).

 



Port scans

 

A port scan is a scan on every possible port on a server to check for open ports. When 'open' ports are detected, malicious outsiders will then try to gain access to the underlying services. Port scans coming from your VPS are very often caused by exploited vulnerabilities.

By using a command such as netstat -a you can see the network traffic per process. You can then use this information to check which process is causing the port scans and take measures to stop this.

How can I prevent this from happening?

  • Make sure your CMS (and plugins) are always updated to the latest version. For older version vulnerabilities are almost always known!
  • Run a frequent scan with tools such as ClamAV, rkhunter, chrootkit or Linux Malware Detect (LMD) to detect malware on your server as soon as possible. You could plan these scans in a cronjob for example.
  • Update your software and the OS itself often!
  • Disable unnecessary ports and services in the firewall of your OS, for both incoming and outgoing traffic. When you are only using your VPS to host a webserver and don't use mail or SSH, there is no reason to have these services active and the corresponding ports opened. If a port is closed, any service using that port can not be abused by malicious outsiders. It's therefore important to check which services and ports are exactly required for the purposes of your VPS. For simplifying the management of the firewall, you can look at tools such as CSF (ConfigServer Security Firewall).
  • Use strong and hard to guess passwords and disable root access via SSH. A lot of our default installations already have root access disabled for security reasons. Also changing the default port of SSH and other vulnerable services, will improve the security of your server.

 



Copyright Infringement

 

When you share(d) content illegitimately you can receive reports regarding copyright or trademark infringement. This can be caused by a torrent being shared on the VPS (directly or via VPN). Another possible cause of such a infringement notice could also be an image or brand logo that's being displayed in your webshop. The simplest solution is to just removed this content from your VPS.

This can for example be a torrent which may or may not be connected through VPN, or an image of a brand of product shown in your webshop. The easiest solution is the removal of the infringing content on your VPS.

How can I prevent this from happening?

  • make sure you are not running any torrent programs on your VPS. Next to that, it's not advised to publicly share media you uploaded to your VPS.
  • When you are also running a VPN-server on your VPS, make sure that connected users can not use torrent traffic (for example by blocking these ports).
  • When selling products of certain brands / company's and you are using their images (such as logos), make sure you have a (license) agreement with the owner of this brand.
  • Do not register or host domains that have strong similarities with popular brands or large company's. In almost every case you will be forced to remove content and / or transfer the domain to the brand holder.

 



Outgoing (D)DoS-attacks

 

There are a large amount of different types of 'DDoS'-attacks that are being used by malicious individuals / organizations on the Internet. In a DDoS-attack your VPS is sending out a enormous amount of packets to the other server in order to make it unreachable for other visitors. Two of the most common attacks that are seen, are the UDP and SYN floods.

In a UDP flood your VPS will send a large amount of UDP packets to random (usually unused) ports to the server that's being attacked. Because these ports don't have active services, 'ICMP Destination Unreachable' packets will be send back, which will lead to excessive resource-usage and make the server unreachable.

In a SYN flood attack there is never an ACK-signal being send (this can also be caused by spoofing an IP) after your VPS has send an SYN (a signal used to set up a connection between 2 servers). Because no ACK's are being send, the server that is being attacked will keep waiting for these ACK's which will eventually cause the server to become unreachable.

In both cases the chances are high your VPS has been infected by malware and is now part of a 'botnet'. Because of this malicious outsiders can take control of your VPS and misuse it for these attacks.

How can I prevent this from happening?

  • Make sure your CMS (and plugins) are always updated to the latest version. For older version vulnerabilities are almost always known!
  • Run a frequent scan with tools such as ClamAV, rkhunter, chrootkit or Linux Malware Detect (LMD) to detect malware on your server as soon as possible. You could plan these scans in a cronjob for example.
  • Update your software and the OS itself often!
  • Disable unnecessary ports and services in the firewall of your OS, for both incoming and outgoing traffic. When you are only using your VPS to host a webserver and don't use mail or SSH, there is no reason to have these services active and the corresponding ports opened. If a port is closed, any service using that port can not be abused by malicious outsiders. It's therefore important to check which services and ports are exactly required for the purposes of your VPS. For simplifying the management of the firewall, you can look at tools such as CSF (ConfigServer Security Firewall).
  • Use strong and hard to guess passwords and disable root access via SSH. A lot of our default installations already have root access disabled for security reasons. Also changing the default port of SSH and other vulnerable services, will improve the security of your server.

Do you have a good idea?

Give us your idea! If it's popular we'll add it to the wishlist!

Has this article been helpful?

Create an account or log in to leave a rating.

Comments

Create an account or log in to be able to leave a comment.

Are you stuck?

Ask one of our specialists to assist you

Contact us