Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

vps got hacked and sending out dos attack.
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

vps got hacked and sending out dos attack.

Hi, i have some VPS servers running on XEN, with CentOS5.x , recently servers were being unreachable , after examination, they all had a process running with random letters example scbhywvdav process and it is sending out lot of outbound traffic more likely a dos attack

have anybody seen such activity in any of your vps, and any quick fix to clean this


  • Don't use silly passwords like password124

    Use SSH Keys..

    You've already been comprised so you'll want to reinstall your servers.

  • NekkiNekki Veteran
    edited November 2014

    Reinstall. There is no other way to be sure you've removed the infection and that the hacker cannot regain entry to your VPS.

  • deployvmdeployvm Member, Host Rep
    edited November 2014


    Has your VPS been compromised or seen any unusual logins via the SSH log?

    I suggest you turn off your network interface (e.g. eth0) and investigate the processes further. Check /tmp and the location of the processes. You must have console access or do not do this.

    Install maldet and clamav, update and run a scan of your entire system. It should detect most.

    If you would like easier method, I think it would be best that you backup all you files and install a clean CentOS 5 image.

    I think you should also use CentOS 6, not 5 as it is quite old now.


  • ATHK said: you'll want to reinstall your servers.


    Nekki said: Reinstall.

    Nothing else to add (more or less). You should also hire a server management company for taking care of properly securing the server in the future, or alternatively get a managed service.

    Thanked by 1ATHK
  • the type of hack has been same in all type of servers some centOS and one had Ubuntu, the process are being created with files under /boot and a init process under etc/init.d

  • okay, am gonna try doing a backup and reinstall to latest 6.0 , meanwhile will see what does maldet will say just to know what happened.

  • what if there is a keylogger or backdoor in your computer? i had experienced this no matter how much reinstalling i did and passwords i changed in my vps, someone else broke in.

  • Check your local machine out too and look at recreating and re-installing the VM's.

    With it being CentOS 5 were you also running Kloxo?

  • Reinstall the OS & secure SSH by changing SSH port & disabling login through root password (Only SSH keys will let you login on SSH).

    Also look in your own PC or any device with which you connect to server, might be possible that it's the culprit behind all that :)

  • linuxthefishlinuxthefish Member
    edited November 2014

    I've seen this loads, a random process name hiding in /boot and sending out nasty traffic and name always changes when you kill it...

  • okay, so clamav and maldet found nothing so, time to backup/destry

  • You're lucky that they didn't launched a forkbomb...

  • 40 character long password + change ssh port may be good enough

  • turnkeyintenetturnkeyintenet Member, Host Rep

    no quick fix (As mentioned non stop above), you are in for a reformat on this one. But, if your vps provider offers a backup, you can try rolling back a week/month (you could make a backup of any recent data like emails, or html files but i wouldn't trust any data active on that box now). If you are lucky you may roll back to a time before whomever exploited your box got in. You could then follow the above comments (from long passwords, to a firewall, to trying to run 'yum update' etc) and hope however they got in was a common entry method that is squashed by simple password/firewall (and you may dodge a bullet)

  • turnkeyintenet said: But, if your vps provider offers a backup, you can try rolling back a week/month

    There'd be still a chance that even the backup is compromised.

  • turnkeyintenetturnkeyintenet Member, Host Rep

    @alessio said:
    There'd be still a chance that even the backup is compromised.

    Quite true - it's basically luck if you get a backup before the compromise took effect, but my guess if it whent into full on tilt for abuse just recently, it may of been a recent full on compromise.

  • turnkeyintenet said: Quite true - it's basically luck if you get a backup before the compromise took effect, but my guess if it whent into full on tilt for abuse just recently, it may of been a recent full on compromise.

    True, but personally I wouldnt take the risk of the gamble if the backup is compromised or not. A fresh install and a redeploy of the data without any code from the backup.

    Thanked by 1Nekki
  • Re-install is the best option for you in this case.

    If you want to backup your files, you can use clamav or whatever to scan your backup files before copying to the server again.

  • Reinstall your server, as everyone is saying its the best way to make sure you have destroyed the infection, plus I can secure your server, I have secured mine before, I can tell you what you need to do is, basically change the ssh port, change your password to something 30+ characters, if you don't have your password longer than 8 characters it would be too easy for me to hack into your box(of course I would never do that since I am an ethical hacker, not some bad guy.) but anyway it would be best to do the suggestions above, and within my post, and when you get everything set back up please install fail2ban as I have installed it on my vps's before to stop people from trying to get into it as if you try too many times to brute-force the password it will automatically ban you.

  • If you want to be paranoid, also reset the password to your email address and ensure that there's no unusual secondary email addresses or mobile numbers in the account if relevant. Use 2-step auth. Reset the passwords you created with your provider (do the email step first as your email security underpins this process). Check for malware before all this.

    Use common sense. Sometimes it's not your fault but to begin with, assume it is. Sometimes providers are at fault (exploitable WHMCS as an example).

  • MaouniqueMaounique Host Rep, Veteran
    edited November 2014

    ricardo said: If you want to be paranoid

    If all machines are under the same panel and were all compromised same time with same kit, you would be crazy not to suspect the point of entry was the panel due to a bad password or the panel or email box being compromised.
    That would not be paranoia in any way shape or form.

  • @slicebox do yo use either Kloxo or Webmin?

  • netomxnetomx Moderator, Veteran

    Don't reinstall - just restart the vps and the problem will go away.

          -Just any customer who will not listen to our words and will make the easiest way - then, will bash the provider again in a few days. 
    Thanked by 1ATHK
  • I am using kloxo panel and I experienced it on 2 of my vps recently.

  • @qwerty11 if you are using mod_ruid2 consider to upgrade it to the newer version. You might want to read this:,321.msg1553.html#new

  • sliceboxslicebox Member
    edited November 2014

    am running webmin and dns on the vps which were effected, the other did not have a control panel, it had a openvpn installed on it. it seems more like someone found a vulnerability of OS (ssl was updated so it was not openssl)

Sign In or Register to comment.