Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
Shells Virtual Desktop

Categories

In this Discussion

Home Providers Outages
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

for softshellweb

chatmurphychatmurphy Member
in Outages

About ticket #005872 (an idle VPS used up 20,000 GB traffic), Hermes (GPT 5.4) suggested the following, which might be helpful to you.

Not proven.

What the screenshot does prove:

  • the VPS hit its bandwidth cap: 20000.1 / 20000 GB
  • the provider marked it Network Suspended
  • traffic was very heavy
  • inbound traffic is much larger than outbound

What that means:

  • this is definitely a network/bandwidth event
  • it is not, by itself, evidence of a hack
  • it could be:
    • legit heavy traffic
    • a misconfigured service
    • a DDoS / being targeted
    • a bad sync/download job
    • abuse after compromise

What makes me hesitate to call it “hacked” from this alone:

  • the screenshot shows graphs, not auth logs, processes, files, or malware
  • inbound dominating outbound is not the classic “your box is exfiltrating/spamming” picture

Best current judgment:

  • suspicious, yes
  • confirmed hacked, no

To decide properly, check these first on the VPS:
last -a | head -30
sudo journalctl -u ssh -u sshd --since "7 days ago" | tail -200
ss -tulpn
ps aux --sort=-%mem | head -40
sudo crontab -l; for u in root $(cut -d: -f1 /etc/passwd); do crontab -u "$u" -l 2>/dev/null; done
sudo find /etc/systemd /usr/lib/systemd /root/.config/systemd -type f | xargs grep -R "curl\|wget\|bash -c\|nc\|python -c" 2>/dev/null | head -200

Also inspect:

  • provider abuse notice
  • web/app access logs
  • nginx/apache logs
  • unusual public ports
  • any new users or SSH keys in ~/.ssh/authorized_keys

If this VPS was supposed to be mostly idle, my default suspicion would be public-service abuse or being hammered, not “definitely full root compromise.”

Comments

Sign In or Register to comment.