Article overview

Help article

What can I do about abuse originating from my VPS?

Abuse originating from a VPS comes in lots of shapes and sizes. Therefore the solution to solve this abuse problem can differ per OS, software or type of abuse. In all cases it is highly recommended to keep your server up to date, and in case you've been affected by any of the abuse below, to change all your passwords and restrict SSH access.

Because of this enormous diversity it is impossible to handle every possible solution. However, based on the information listed below, you can find suggestions on how to find the cause of this abuse and measures to prevent it.

There are several common forms of abuse listed below:

In our article 'VPS security' you'll find increasing references to all our articles that explain how you can secure your VPS.


Spam

The most common cause by far, are spamscripts injected via an exploit (usually in a popular CMS such as WordPress, Joomla, Drupal etc.) into the VPS.

How can I prevent this from happening?

  • Make sure your CMS (and plugins) are always updated to the latest version. For older version vulnerabilities are almost always known!
  • Make sure you don't download themes and plugins from unknown websites. It's not uncommon if a "free" download of a normally paid addon is infected with malware.
  • Use a plugin such as WordFence to improve the security of your WordPress-website. For Joomla you can look at Securitycheck as a possible addon.
  • If you are not using any mail forms on your website: disable PHPmailer. Or disable mailing via port 25 for websites.
  • If you do want to use PHP mail forms on your website, make sure the 'TO:' mail address can not be altered directly. Otherwise you enable visitors to start spamming directly from that form.
  • For any form of website related abuse it's very important to have the right file permissions set. Almost every framework & CMS has a list of recommended permissions. By using these recommended permission you can prevent vulnerabilities from being used to alter core files of a framework.
  • Run a frequent scan with tools such as ClamAV or Linux Malware Detect (LMD) to detect malware on your server as soon as possible. You could plan these scans in a cronjob for example.
  • Use our VPS Mailservice so outgoing spam is already filtered / blocked before being sent to the Internet.
  • To prevent malicious use of your mail address due to your password being obtained, never use a connection without SSL (in that case your password will be sent in plain text) and always choose a strong password.

 


Outgoing bruteforce attacks

 

These attacks are often performed by malware placed on exploited installations of WordPress or Joomla (and are often focused on other WordPress installations). Another possibility is that vulnerabilities have been used by malware or a compromised root-user (for example because a weak root-password has been bruteforced.

Usually the cause can be found by checking all the current processes via ps aux | less. If a strange or unknown process is shown in that list, you can use lsof -p $processid to see which files are opened by this process. In this command you replace '$processid' by the process ID in the 'ps aux' output.

How can I prevent this from happening?

  • Make sure your CMS (and plugins) are always updated to the latest version. For older version vulnerabilities are almost always known!
  • Use Bruteforce protection such as Fail2Ban. A manual can be found here.
  • Make sure you don't download themes and plugins from unknown websites. It's not uncommon if a "free" download of a normally paid addon is infected with malware.
  • Use a plugin such as WordFence to improve the security of your WordPress-website. For Joomla you can look at Securitycheck as a possible addon.
  • For any form of website related abuse it's very important to have the right file permissions set. Almost every framework & CMS has a list of recommended permissions. By using these recommended permission you can prevent vulnerabilities from being used to alter core files of a framework.
  • Run a frequent scan with tools such as ClamAV, rkhunter, chrootkit or Linux Malware Detect (LMD) to detect malware on your server as soon as possible. You could plan these scans in a cronjob for example.
  • Update your software and the OS itself often!
  • Disable unnecessary ports and services in the firewall of your OS, for both incoming and outgoing traffic. When you are only using your VPS to host a webserver and don't use mail or SSH, there is no reason to have these services active and the corresponding ports opened. If a port is closed, any service using that port can not be abused by malicious outsiders. It's therefore important to check which services and ports are exactly required for the purposes of your VPS. For simplifying the management of the firewall, you can look at tools such as CSF (ConfigServer Security Firewall).
  • Use strong and hard to guess passwords and disable root access via SSH. A lot of our default installations already have root access disabled for security reasons. Also changing the default port of SSH and other vulnerable services, will improve the security of your server.

Phishing

 

In most cases of phishing websites / pages on your VPS, the cause lies in an infected installation of WordPress, Joomla or another popular CMS. Almost every time a known exploit is misused by malicious outsiders to place these phishing pages on your VPS.

How can I prevent this from happening?

  • Make sure your CMS (and plugins) are always updated to the latest version. For older version vulnerabilities are almost always known!
  • Make sure you don't download themes and plugins from unknown websites. It's not uncommon if a "free" download of a normally paid addon is infected with malware.
  • Use a plugin such as WordFence to improve the security of your WordPress-website. For Joomla you can look at Securitycheck as a possible addon.
  • For any form of website related abuse it's very important to have the right file permissions set. Almost every framework & CMS has a list of recommended permissions. By using these recommended permission you can prevent vulnerabilities from being used to alter core files of a framework.
  • Run a frequent scan with tools such as ClamAV or Linux Malware Detect (LMD) to detect malware on your server as soon as possible. You could plan these scans in a cronjob for example. When you find the content on your server, you can remove this via (s)FTP or the command line.

 


Malware

 

In most cases of malware being spread from your VPS, the cause lies in an infected installation of WordPress, Joomla or another popular CMS. Almost every time a known exploit is misused by malicious outsiders to place this malware on your VPS.

How can I prevent this from happening?

  • Make sure your CMS (and plugins) are always updated to the latest version. For older version vulnerabilities are almost always known!
  • Make sure you don't download themes and plugins from unknown websites. It's not uncommon if a "free" download of a normally paid addon is infected with malware.
  • Use a plugin such as WordFence to improve the security of your WordPress-website. For Joomla you can look at Securitycheck as a possible addon.
  • For any form of website related abuse it's very important to have the right file permissions set. Almost every framework & CMS has a list of recommended permissions. By using these recommended permission you can prevent vulnerabilities from being used to alter core files of a framework.
  • Run a frequent scan with tools such as ClamAV or Linux Malware Detect (LMD) to detect malware on your server as soon as possible. You could plan these scans in a cronjob for example. When you find the content on your server, you can remove this via (s)FTP or the command line.
  • Disable unnecessary ports and services in the firewall of your OS, for both incoming and outgoing traffic. When you are only using your VPS to host a webserver and don't use mail or SSH, there is no reason to have these services active and the corresponding ports opened. If a port is closed, any service using that port can not be abused by malicious outsiders. It's therefore important to check which services and ports are exactly required for the purposes of your VPS. For simplifying the management of the firewall, you can look at tools such as CSF (ConfigServer Security Firewall).

 


Port scans

 

A port scan is a scan on every possible port on a server to check for open ports. When 'open' ports are detected, malicious outsiders will then try to gain access to the underlying services. Port scans coming from your VPS are very often caused by exploited vulnerabilities.

By using a command such as netstat -a you can see the network traffic per process. You can then use this information to check which process is causing the port scans and take measures to stop this.

How can I prevent this from happening?

  • Make sure your CMS (and plugins) are always updated to the latest version. For older version vulnerabilities are almost always known!
  • Run a frequent scan with tools such as ClamAV, rkhunter, chrootkit or Linux Malware Detect (LMD) to detect malware on your server as soon as possible. You could plan these scans in a cronjob for example.
  • Update your software and the OS itself often!
  • Disable unnecessary ports and services in the firewall of your OS, for both incoming and outgoing traffic. When you are only using your VPS to host a webserver and don't use mail or SSH, there is no reason to have these services active and the corresponding ports opened. If a port is closed, any service using that port can not be abused by malicious outsiders. It's therefore important to check which services and ports are exactly required for the purposes of your VPS. For simplifying the management of the firewall, you can look at tools such as CSF (ConfigServer Security Firewall).
  • Use strong and hard to guess passwords and disable root access via SSH. A lot of our default installations already have root access disabled for security reasons. Also changing the default port of SSH and other vulnerable services, will improve the security of your server.

Copyright Infringement

 

When you share(d) content illegitimately you can receive reports regarding copyright or trademark infringement. This can be caused by a torrent being shared on the VPS (directly or via VPN). Another possible cause of such a infringement notice could also be an image or brand logo that's being displayed in your webshop. The simplest solution is to just removed this content from your VPS.

This can for example be a torrent which may or may not be connected through VPN, or an image of a brand of product shown in your webshop. The easiest solution is the removal of the infringing content on your VPS.

How can I prevent this from happening?

  • make sure you are not running any torrent programs on your VPS. Next to that, it's not advised to publicly share media you uploaded to your VPS.
  • When you are also running a VPN-server on your VPS, make sure that connected users can not use torrent traffic (for example by blocking these ports).
  • When selling products of certain brands / company's and you are using their images (such as logos), make sure you have a (license) agreement with the owner of this brand.
  • Do not register or host domains that have strong similarities with popular brands or large company's. In almost every case you will be forced to remove content and / or transfer the domain to the brand holder.

 


Outgoing (D)DoS-attacks

 

There are a large amount of different types of 'DDoS'-attacks that are being used by malicious individuals / organizations on the Internet. In a DDoS-attack your VPS is sending out a enormous amount of packets to the other server in order to make it unreachable for other visitors. Two of the most common attacks that are seen, are the UDP and SYN floods.

In a UDP flood your VPS will send a large amount of UDP packets to random (usually unused) ports to the server that's being attacked. Because these ports don't have active services, 'ICMP Destination Unreachable' packets will be send back, which will lead to excessive resource-usage and make the server unreachable.

In a SYN flood attack there is never an ACK-signal being send (this can also be caused by spoofing an IP) after your VPS has send an SYN (a signal used to set up a connection between 2 servers). Because no ACK's are being send, the server that is being attacked will keep waiting for these ACK's which will eventually cause the server to become unreachable.

In both cases the chances are high your VPS has been infected by malware and is now part of a 'botnet'. Because of this malicious outsiders can take control of your VPS and misuse it for these attacks.

How can I prevent this from happening?

  • Make sure your CMS (and plugins) are always updated to the latest version. For older version vulnerabilities are almost always known!
  • Run a frequent scan with tools such as ClamAV, rkhunter, chrootkit or Linux Malware Detect (LMD) to detect malware on your server as soon as possible. You could plan these scans in a cronjob for example.
  • Update your software and the OS itself often!
  • Disable unnecessary ports and services in the firewall of your OS, for both incoming and outgoing traffic. When you are only using your VPS to host a webserver and don't use mail or SSH, there is no reason to have these services active and the corresponding ports opened. If a port is closed, any service using that port can not be abused by malicious outsiders. It's therefore important to check which services and ports are exactly required for the purposes of your VPS. For simplifying the management of the firewall, you can look at tools such as CSF (ConfigServer Security Firewall).
  • Use strong and hard to guess passwords and disable root access via SSH. A lot of our default installations already have root access disabled for security reasons. Also changing the default port of SSH and other vulnerable services, will improve the security of your server.

Crypto miners

 

Cause

Crypto miners can end up on your VPS if there's an exploitable vulnerability used to install said miner, or when a malicious user has gained SSH access to your VPS through other methods and installs the miner.

 

Solution

When a crypto miner is active on your VPS, this can usually be seen by an unusual high CPU load of your VPS ( can be seen in the graphs in the TransIP control panel, or using the TOP-command).

 

Step 1

First, find out which process is actually mining by using one of the following command:

top

Press shift + p to sort based on CPU usage to find the culprit and note its PID number.


 

Step 3

If you see a process with rediculous high CPU usage that's unfamiliar to you, you can kill the process using one of these commands:

kill 9 $processid
lsof -p $processid

Replace '$processid' by the PID as seen in step 2.

You can now remove the miner. In case of a program and not a seperate script, use the following command:

CentOS 7:

yum -y remove minername

CentOS Stream, AlmaLinux, Rocky Linux:

dnf -y remove minername

Ubuntu/Debian

apt -y remove minername

Is the miner a lone script file? Search for the file's location and remove it as follows:

find /dir/ -name minernaam
rm -f /dir/minernaam

Replace /dir/ with the directory you'd like to search. Some good examples are /var/ /etc/ and /home/. Replace 'minername' with the name of the script found in step 2.

 

Has this article been helpful?

Create an account or log in to leave a rating.

Comments

Create an account or log in to be able to leave a comment.