Working with a Compromised VPS

Freya VPS Hosting Team

An exploited or hacked VPS is no longer fully under your control, with someone else partially controlling it for their own purposes. Common reasons for exploiting a VPS include:

Sending spam email
Launching attacks on other servers, consuming your resources
Installing phishing websites to steal sensitive information

Background

A VPS can be compromised in two primary ways:

A hacker guesses a user’s password for email, FTP, or SSH.
A hacker exploits a security hole in a web application (or its plugins/addons) like WordPress, Joomla, or Drupal.

Identifying an Exploited VPS

Often, customers learn of a compromise from the VPS SELL Abuse Department. To detect breaches sooner, regularly check your VPS log files.

Preventive Measures

A. Use Strong Passwords

Use strong passwords for the Client Area, VPS, control panels, etc. Stronger passwords offer better protection. GRC (Gibson Research Corporation) offers a free tool to generate strong passwords with a mix of lowercase, uppercase, numbers, and symbols.

B. Use Secure Protocols

Whenever possible, use secure connections, such as SSL for email and sFTP instead of FTP.

C. Maintain Regular Backups

Regularly backup your data. If a domain or your entire service is compromised, an unnoticed breach might result in compromised backups. Always restore from the last known clean backup.

D. Harden Your PHP Settings

Enhance security by modifying your php.ini file:

Enable Safe Mode
Disable allow_url_fopen
Increase PHP security with PHPSecInfo

E. Working with Third-Party Applications

When using third-party software like WordPress, Drupal, or Joomla, consider these points:

Choose reputable, secure software with frequent updates.
Regularly update your software and subscribe to RSS feeds for updates.

What to Do If Hacked

Backup Your Data: Remember, this backup may contain compromised scripts. Do not restore directly from it.
Take Your Website Offline: Temporarily or display an "Under Construction" page to prevent serving hacked pages to users.
Assess the Damage: Determine the scope of the problem. Are multiple domains affected?
Start Recovery: Reinstall your environment from a known clean source.
Restore Your Websites: Carefully restore your websites from clean backups.

Useful Links

Join and contribute to online communities dedicated to fighting badware and phishing: