Hostigation received third party information that your VPS may be compromised with the Ebury Trojan. The Ebury trojan steals SSH login credentials from incoming and outgoing SSH connections and forwards them to a dropzone server in specially crafted DNS packets. The trojan is normally found in a binary directory on Unix-based systems in one of the following locations:
/usr/bin/ssh
/usr/bin/sshd
/usr/bin/ssh-add
According to the data we received, your VPS was sending harvested SSH credentials to a dropzone server. They only guaranteed way to remove this trojan is to reinstall your VPS. If your VPS is OpenVZ, we can provide you with a small amount of backup space so you may retrieve critical files once your VPS is reinstalled. Due to the nature of this trojan, any infected KVM VPS will have to be reinstalled completely from scratch.
For more information on Ebury, please see https://www.cert-bund.de/ebury-faq
The information we received about your VPS was provided by US-CERT, we have no additional information as to how you may have been exploited.
Jakob McCann
Hostigation.com
Like us on FB https://www.FB.com/hostigation.hosting
Follow on 推特 @hostigation