Last week we received abuse reports of SSH dictionary attacks coming
from a customer IP. At the time of investigation no attacks were
taking place but looking at historical bandwidth use it did seem
that something anomalous had happened in a few short bursts.
It was also obvious that the VPS had started using 100% of both of
its CPU cores around the same time as the first traffic spike:
The customer was then informed of the probable compromise.
While we were watching the outbound SSH connections a dictionary
attack started up again, so we had no option but to disable the
customer's network access.
The customer later confirmed presence of this malware:
They had got in through an SSH dictionary attack against the
customer and then installed this to continue attacks and mine
Unfortunately since the compromised account had full sudo access,
the customer had no choice but to completely reinstall.
We always recommend that password auth be disabled for SSH.
Do note that you can also upload SSH public keys and disable
password auth for your Xen Shell access, and/or require two factor
auth. This is set via the Panel:
About this email:
https://bitfolk.com/ -- No-nonsense VPS hosting