Hi, Last week we received abuse reports of SSH dictionary attacks coming from a customer IP. At the time of investigation no attacks were taking place but looking at historical bandwidth use it did seem that something anomalous had happened in a few short bursts. It was also obvious that the VPS had started using 100% of both of its CPU cores around the same time as the first traffic spike: https://imagebin.ca/v/4sqgOQKzxB4r The customer was then informed of the probable compromise. While we were watching the outbound SSH connections a dictionary attack started up again, so we had no option but to disable the customer's network access. The customer later confirmed presence of this malware: https://kindredsec.com/2019/05/31/dota-campaign-analyzing-a-coin-mining-and… They had got in through an SSH dictionary attack against the customer and then installed this to continue attacks and mine cryptocurrency. Unfortunately since the compromised account had full sudo access, the customer had no choice but to completely reinstall. We always recommend that password auth be disabled for SSH. Do note that you can also upload SSH public keys and disable password auth for your Xen Shell access, and/or require two factor auth. This is set via the Panel: https://panel.bitfolk.com/account/security/ About this email: https://tools.bitfolk.com/wiki/Security_incident_postings Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting