Found SSH Backdoor on VServer. What to do?

This is what you should do on all the systems that you've had this sniffer.tgz on: Nuke Them From Orbit immediately, and start over from a clean installation. (That is, destroy the system(s), reinstall clean, load data from clean backups - assuming you have backups that're clean, and then harden the system(s) before putting them back on the Internet).

Whenever you have malware or hackers get into your system like this, it's time to reanalyze how your system is configured and make sure to not repeat the same steps that they got in with. But, because this may not be a system you have the ability to take aside and forensically analyze, and since this may be your only server, it's time to just destroy the virtual system, and start over from scratch (as I said above).

(And this applies to any such situation where you get malware on the system. Unless you have spare hardware to replace something like this so you can isolate and forensically examine the breached system, which usually most users do not have, you have no choice but to nuke the system and start over.)

Without analyzing your server I can't really say what you did wrong, but it's likely that this backdoor is deeper in the system than just a simple 'program' that got installed. And, since the bad guys already got to install a backdoor on your system, you can assume that all your passwords are now breached and no longer safe (whether it be for SSH, or MySQL root, or any other type of password that has EVER been entered into this computer system). Time to change all your passwords!


Once you're back up in a clean environment, here's some basic tips on hardening steps to consider. Note that because these make it much more broader a topic, I can't really dig into detail here, but it's definitely time to do some hardening steps to protect your system:

  1. Turn on a firewall, and only allow access to ports that need to be opened. ufw exists to be simple, so let's use that. sudo ufw enable. (Configuring ufw properly for your environment is a different story, and that goes beyond the confines of this question.)

  2. Restrict access to remote SSH. This isn't always doable, but you ideally would identify IP addresses that are owned by you and specifically whitelist them in the firewall. (If you're on a dynamic residential IP address skip this step).

  3. Lock down SSH access to your server, and require the use of SSH keys only for authentication. This way hackers can't attack your server and try and just guess passwords. It's much MUCH harder to guess the proper private key (because you'd have to bruteforce all of them), and this helps protect against bruteforcing attacks.

  4. If you are running a website, make sure to lock down the permissions so that people can't upload/execute things at their leisure. Doing this varies from site to site, so I can't give you more guidance here (it's impossible to do so).

  5. Also if you're running a website using Joomla or Wordpress or such, make sure you keep the environment up to date and patched with security vulnerabilities from the software providers.

  6. Where possible, setup, configure, and use two-factor authentication (2FA) methods for things that you authenticate with. There are many solutions for second-factor authentication for different applicaitons, and securing various applications this way is beyond the scope of this post, so you should do your research on this point before you pick a solution.

  7. If you absolutely must use passwords in your setup, use a decent password manager (cloud-based ones are not necessarily good choices) and use long-length (25+ characters), random, unmemorable passwords that are different for each individual item that's being secured by passwords (hence the recommendation for the password manager). (However, you should strongly consider NOT using passwords where possible (such as for SSH authentication), and use 2FA where possible).