Customer Support

  1. Support
  2. How to stop abuse which originates from your VPS
  1. Home
  2. Dedicated / VPS Management
  3. How to stop abuse which originates from your VPS

How to stop abuse which originates from your VPS

Abuse originating from a VPS can take many different forms, depending on the operating system, software, or the type of attack involved. The most common cases include sending spam, brute-force attacks, phishing, malware, port scans, or even participation in DDoS attacks.

Handling such incidents depends on the nature of the problem, but there are several basic steps you can take to identify and prevent abuse. It is always recommended to:

  • Keep your server and operating system up to date.
  • Change all passwords after any abuse incident.
  • Restrict SSH access only to authorized IP addresses.

Main types of abuse

  • Spam (sending unwanted emails)
  • Outgoing brute-force attacks
  • Phishing
  • Malware
  • Port scans
  • Copyright infringement
  • Outgoing (D)DoS attacks
  • Crypto miners

Dealing with unwanted email (Spam) sent from your VPS

If you notice that your VPS is sending unwanted or bulk emails (“spam”) to third-party recipients, the most likely cause is a vulnerability that has been exploited to install a spam script, or an unprotected contact form on one of the websites hosted on your server.

In such cases, you will likely receive an abuse report from your provider or another third party. These reports typically include the email headers of the messages that were sent, which can be used to trace the source or script responsible for sending the spam.

In the past, the most common cause of such incidents was email account hacking (mailbox compromise). However, with the widespread use of CMS platforms such as WordPress, Joomla, Drupal, etc., the main cause has shifted to spam scripts uploaded or injected into website files.

If you receive a notification that spam has been sent from your VPS, it is recommended to perform a full scan of your website’s file system (or all websites hosted on the VPS) to check for any unknown or suspicious files.

Spam scripts – how to identify them

If you are not hosting any websites with contact forms, the issue is likely caused by a spam script installed via a security vulnerability.

These scripts are typically PHP files that automatically send bulk emails from your server. They may have been created recently or disguised within existing legitimate CMS files.

Common characteristics of spam scripts include:

  • Random or unusual filenames, such as 23gw1pnb.phpmailr_sendx.php, etc.
  • Files that appear legitimate, e.g. template.config.php or settings.inc.php, but contain injected malicious code.
  • Code embedded in existing CMS files (e.g. functions.php or header.php).
  • Use of gzinflate() and base64_decode() functions to obfuscate or encode content.
  • Connections to external URLs or IPs acting as “command servers.”

Since CMS installations contain hundreds or thousands of files, it is difficult to visually identify which files are malicious. For that reason, it is important to use scanning tools.

Using antivirus tools for detection and cleanup

If you suspect that your VPS is infected and sending spam, immediately perform a scan using antivirus tools such as ClamAV, available for most Linux distributions (AlmaLinux, Rocky Linux, CentOS Stream, Ubuntu, Debian).

After installation, you can run a full scan with the following command:

clamscan -r /var/www/

This scan will check all website directories for known malware signatures. If suspicious files are detected, you can move or delete them manually.

Using ClamAV through control panels

  • cPanel: Has built-in support for ClamAV. Go to Manage Plugins → Configure ClamAV Scanner to enable and configure automatic scans.
  • DirectAdmin: Does not have native support, but an installation guide is available on the official DirectAdmin site (see here).
  • Plesk: Does not directly support ClamAV but includes Dr. Web Antivirus, which provides similar scanning functionality.

For additional security, you can schedule periodic scans via a cron job so that your VPS is automatically scanned (e.g. every 24 hours).

Additional security measures

  • Always keep your CMS and its plugins up to date.
  • Only use trusted plugins and themes from official sources.
  • Install security plugins such as WordFence (for WordPress) or SecurityCheck (for Joomla).
  • Disable PHP mail sending (PHPmailer) if not required.
  • Restrict the use of port 25 for outgoing mail.
  • Ensure contact forms do not allow modification of the TO: field.
  • Review file and folder permissions according to CMS recommendations.
  • Perform regular scans using ClamAV or LMD.
  • Use SSL for all connections and choose strong, unique passwords.

Outgoing brute-force attacks

Brute-force attacks are often caused by malware installed on compromised CMS systems or through a compromised root user account.

To identify suspicious processes:

  • Run: ps aux | less
  • Locate unknown processes and inspect them using: lsof -p processid

Prevention

  • Frequently update your CMS and plugins.
  • Install Fail2Ban to protect against brute-force attacks.
  • Avoid “free” plugins from untrusted sources.
  • Regularly scan your system with ClamAVrkhunterchrootkit, or LMD.
  • Close unnecessary ports and disable unused services in your firewall (e.g., SSH or mail if not in use).
  • Use strong passwords and disable root login via SSH.
  • Change the default SSH port.

Phishing & Malware

Phishing sites or malicious files on a VPS are usually placed via known vulnerabilities in CMS platforms. The process of detection and prevention is similar:

  • Always keep your CMS and plugins updated.
  • Avoid downloading themes or plugins from unverified sources.
  • Use security extensions such as WordFence or SecurityCheck.
  • Set correct file and folder permissions.
  • Regularly scan with ClamAV or LMD.
  • Remove malicious files via FTP or the command line.
  • Limit open ports in the firewall and close those not in use.

Port Scans

Port scans originating from your VPS are usually caused by vulnerabilities exploited by malicious scripts.

Check active network connections using:

netstat -a

Prevention

  • Keep your CMS and operating system updated.
  • Use ClamAV, rkhunter, or LMD for malware detection.
  • Restrict firewall services to only what’s necessary.
  • Use strong passwords and change the SSH port.

Copyright Infringement

If you receive a copyright infringement notice, it usually stems from illegally distributed content (e.g. torrents) or unauthorized use of images/logos.

  • Do not run torrent clients or file-sharing applications.
  • Avoid publicly sharing files stored on your VPS.
  • If you operate a VPN server, block torrent traffic.
  • Only use brand images/logos you are licensed to use.
  • Do not register domains that resemble well-known brands.

Outgoing (D)DoS Attacks

If your VPS participates in UDP or SYN flood attacks, it is likely infected and part of a botnet.

Prevention

  • Keep your CMS and plugins updated.
  • Use ClamAV, rkhunter, or LMD for regular scans.
  • Frequently update your operating system and installed services.
  • Limit open ports in the firewall.
  • Use strong passwords and change the default SSH port.

Crypto Miners

Miners are often installed through exploited vulnerabilities or unauthorized SSH access.

Detection and Removal

  • Check CPU usage via top or your control panel graphs.
  • Identify the process with high CPU usage (Shift + P) and note its PID.
  • Terminate the process using kill -9 PID.
  • Locate the file with lsof -p PID.
  • Remove it based on your operating system:
    • CentOS: yum -y remove minername
    • AlmaLinux/Rocky: dnf -y remove minername
    • Ubuntu/Debian: apt -y remove minername
  • If it’s a standalone script, find and delete it: find /var/ -name minername → rm -f /var/minername

Related Articles

You haven't found what you are looking for?

Contact our experts, they will be happy to help!

Contact us