QUESTION: I've noticed my server recently had a sharp increase in outbound traffic, and I am unsure why. What can I do to investigate this?
You may have been the victim of a compromise on your system. This occasionally happens, and there are some steps you can take to investigate this and find the cause. If you believe that your server has been compromised, you can start troubleshooting by auditing the following log files and writable directories:
/var/log/auth.log: Check this log file for signs of unauthorized access and brute-force attempts. Use the ‘last’ command to cross reference recent account logins with this file./tmp: This directory is often used by malicious parties to store files- Web server logs: There may be a vulnerable script or web application. The location of these log files depends on your web server (apache, nginx, etc.) configuration.
ps aux: Use this command to audit running processes for foreign processes
If those do not help you, I do have some more quick tips and links for the next steps you could take:
1. Look for recently modified files that look suspicious.
2. Look for suspicious processes that are running.
3. Run Linux antivirus software. Here are some examples:
If you do discover your server has been compromised, below are some security practices for securing your VPS if a possible intrusion is detected:
- Changing all passwords and making sure new ones are strong.
- Install CSF firewall to block any unauthorized access via SSH, FTP, RDP for Windows, or any other ports you do not want others to access. https://www.configserver.com/cp/csf.html, In CSF firewall will drop incoming connections unless the IP is whitelisted.
- Updating your OS and making sure ALL software running on VPS is up to date such as WordPress, including all plugins as well as themes.
- Remove any old or no longer maintained WordPress plugins and themes.
- Make sure any proxy or VPN software used has a strong password and is properly secured so others can't misuse it.
- Check, stop and remove any suspicious software that is found running.
- Remove emailing software and block emailing ports if no emails are supposed to be sent from your VPS server.
- Scan for malicious software and there are free Windows anti-virus software when googled.
If you determine that you cannot resolve this issue yourself, we strongly suggest that you rebuild your server; just submit a ticket to request our support team to rebuild the server.
I hope this helps point you in the right direction.
