Security breaches and unauthorised activity can compromise your server, leading to data theft, service disruptions, or malware infections. One of the first signs of a compromise can be unusual spikes in resource usage, such as high CPU load, excessive network traffic, or unexpected disk activity.

This guide will walk you through methods for detecting suspicious activity using system tools on most Linux and Windows VPSs.



>> Securing your servers on BinaryLane



Using Resource Alerts for Early Threat Detection


Resource Alerts provide a convenient way to monitor server performance without requiring additional setup. Every five minutes, key performance metrics are recorded, and at four-hour intervals, the data is averaged and compared against default thresholds. If a metric exceeds its threshold, an email alert is sent to notify the account owner.

Note: While Resource Alerts offer a basic level of monitoring, those requiring a more robust alerting system should conslider third party solutions. Refer to our guide on Regular Log Monitoring and Alerting for more information.


Common Resource Alert Triggers and Their Potential Security Implications:

Resource Alert
Description & Potential Security Concern
CPU Usage
High sustained CPU usage could indicate cryptojacking, excessive load from malware, or a runaway process.
Disk I/O Requests
A spike in disk I/O may suggest swap usage due to memory exhaustion, malware activity, or a compromised system processing unauthorised tasks.
Incoming Network Traffic
A sudden increase could indicate a Denial of Service (DoS) attack or brute-force login attempts.
Outgoing Network Traffic
A spike in outbound traffic might signal that the server has been hijacked for spam delivery or data exfiltration.
Data Transfer Limit
Unexpected data transfer usage may indicate unauthorised file downloads or malicious bot activity.
Disk Space
Running out of disk space could be caused by log flooding, malware file dumps, or excessive temporary files.
Memory Consumption
If memory consumption exceeds 100%, the system may be relying on swap, indicating resource exhaustion from a memory leak, high-load attack, or a malicious process.



If a Resource Alert is triggered, check your VPSs Resource Graphs (mPanel -> myserver.bnr.la -> Options (⚙️) -> `- Resource Graphs`) to analyse recent trends and investigate any unexpected spikes in CPU, disk, and network activity.



TABLE OF CONTENTS




Identify and Investigate Suspicious Processes and Files


Linux:

  • Use the command `lsof -i` to list open network connections. You can also use Wireshark to perform a more in-depth trace on open connections.

  • Use `ps -ef` to list all running processes.

  • Check the executable files of suspicious processes using `ls -al /proc/process_id/exe`.

  • Inspect common directories for malicious files, such as `/boot`, `/tmp`, `/run`, and `/root`.

  • Find recently modified files that might be suspicious:

    find / -type f -mtime -3 2>/dev/null



Windows:

  • Use `netstat -ano` to list all open network connections. You can also use Wireshark to perform a more in-depth trace on open connections.

  • Use `tasklist` to display all running processes.

  • In PowerShell, check the executable path of a suspicious process using:

    wmic process where "ProcessId=process_id" get ExecutablePath	


  • Inspect common directories for malicious files, such as `C:\Windows\System32`, `C:\Windows\Temp`, and `C:\Users\<YourUserName>\AppData`.

  • Utilise Sysinternals Suite tools, such as:

    • Process Monitor – Monitors real-time file system activity.

    • Autoruns – Lists startup programs and detects persistence mechanisms.

    • Tcpview – Displays real-time network connections.

  • Search for recently modified files that could indicate malware:

    Get-ChildItem -Path C:\ -Recurse | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-3)}



Review Log Files


Linux:

  • Analyse your log files to trace attack vectors and identify how the breach occurred. Tools like `grep` can help search logs for unusual activity.

  • Search SSH access logs for failed login attempts:

    grep "Failed password" /var/log/auth.log


  • Check for unusual SSH logins:

    cat /var/log/auth.log | grep "sshd"


  • Inspect kernel logs for anomalies:

    dmesg | tail -50



Windows:

  • Analyse your Event Viewer logs to trace attack vectors and identify how the breach occurred. Get-ScheduledTask | Where-Object {$_.TaskPath -notlike "\Microsoft*"} | Format-Table TaskName, TaskPath, State


  • Use Powershell to check for Unusual Scheduled Tasks:

    Get-ScheduledTask | Where-Object {$_.TaskPath -notlike "\Microsoft*"} | Format-Table TaskName, TaskPath, State


  • Use PowerShell to filter logs for recent security events:

    Get-EventLog -LogName Security -Newest 50



Detecting and investigating suspicious activity is only part of maintaining a secure VPS. To prevent future incidents and harden your server against attacks, it's essential to implement proactive security measures.

For a detailed guide on securing your BinaryLane VPS, consider reviewing our helpdesk article: Securing your servers on BinaryLane : BinaryLane



If you require assistance, feel free to submit a support ticket at our helpdesk here: Submit a ticket | BinaryLane