Common signs of a compromised VPS: unusual outbound traffic, sustained 100% CPU, unknown processes, or an abuse notice from the data center. If you suspect a breach, work through the steps below in order.
1. Confirm whether it's really compromised
last # recent logins — any unfamiliar IPs?
w # who's online now
ps aux --sort=-%cpu | head # suspicious high-CPU processes
ss -tunp # unusual outbound connections
crontab -l; ls /etc/cron.* # suspicious cron jobs
2. Immediate response
- If needed, restrict the network via console/firewall to cut outbound (common for miners/outbound attacks).
- Immediately rotate all related passwords and keys (root, panels, databases).
- Kill suspicious processes; remove rogue cron jobs and startup items.
3. Find the entry point
Most common causes: weak passwords with SSH password login enabled, unpatched web-app vulnerabilities (WordPress plugins, etc.), or leaked keys/.env. Review web access and application logs to locate what was exploited.
4. Clean thoroughly: reinstall first
After a breach, attackers may leave backdoors or rootkits. The safest path is to back up your data and reinstall the OS rather than deleting malware piece by piece. Then restore clean data and configs.
5. Prevent recurrence
- SSH key login + disabled passwords + a non-root user.
- ufw firewall with minimal open ports; install fail2ban.
- Patch the OS and all web apps/plugins promptly.
- Back up regularly; keep keys and
.envout of repos and never leaked.
Suspect something is wrong but unsure how to handle it? Contact sales on Telegram @aliyun370 for help.