Upgrading my infrastructure seemed like a straightforward decision. I wanted better performance and reliability for my personal website and a few side projects. What I didn’t expect was discovering that my own VPS had been turned into a crypto miner for someone else.
The Upgrade
Initially, I was hosting everything on a friend's VPS. It worked, but performance was inconsistent and uptime wasn’t great. I decided to move to my own server.
For €10/month, I got:
- 12GB RAM
- 300GB storage
- 300Mb/s port
- Daily backups
After migrating my website and a few small projects, everything appeared to be running smoothly.
The First Warning Signs
Shortly after the migration, my hosting provider contacted me. According to their alerts, I was exceeding bandwidth limits and hitting unusually high connection counts.
At the same time, my SSH sessions would occasionally disconnect without explanation. That combination strongly suggested something abnormal was happening on the server.
Unexpected Outbound Requests
All projects were running inside Docker containers, so I started reviewing container logs. Two of them were making outbound requests to IP addresses that were not part of my codebase.
I reviewed the source code thoroughly and found nothing referencing those addresses. A quick lookup confirmed that the IPs were associated with malicious activity.
Discovering the Miner
Inside the affected containers, I found newly created files that were clearly not part of my application. One of them contained configuration details for a mining pool, including a wallet address.
(The file was accidentally commited to the repo by me when pushing other changes, they didn't commit anything).
At that point, it was clear: the server was being used to mine cryptocurrency.
Reinstalling Everything
To eliminate any possibility of a persistent compromise in my codebase, I:
- Reset my GitHub password
- Regenerated SSH keys
- Completely reinstalled the VPS
After deploying everything again on a clean system, the same malicious behavior reappeared almost immediately. The server automatically attempted to download the same suspicious files using tools like curl and wget.
That ruled out my repository as the source of the issue.
Inspecting Running Processes
I accessed the container interactively and ran:
ps aux
The output showed numerous defunct processes and an active process responsible for fetching malicious code. Something external was triggering it.
Confirming It Wasn’t the Application
To isolate the problem further, I deployed a completely new and private project: no domain, no publicity, nothing public-facing.
It immediately began receiving unexpected requests.
That was the turning point. The issue wasn’t tied to any specific application. It was related to the server itself.
The Root Cause: SSH Brute Force
Reviewing SSH logs revealed constant login attempts from automated bots scanning IP ranges and common service ports. They were trying common usernames such as:
- root
- apache
- postgres
The hosting provider had SSH password authentication enabled by default, with a relatively weak password policy.
Automated bots were brute-forcing credentials. Once they gained access, they deployed crypto-mining software inside running containers.
Lessons Learned
This wasn’t a targeted attack. It was fully automated. Bots continuously scan public IP ranges looking for weak SSH configurations.
If they gain access, they will:
- Install crypto miners
- Consume your server resources
- Generate bandwidth usage
- Leave you with the bill
To prevent this:
- Disable SSH password authentication entirely
- Use SSH key-based authentication only
- Configure a firewall
- Monitor authentication logs regularly
If your VPS has a public IP address, assume it is being scanned. Proper SSH configuration is not optional.