Ask HN: My VPS got hacked and now I'm facing a massive bill. What can I do?

Incidentally, since many HNers probably come at this from a mental model of "Anything which appears on an invoice is non-negotiable and simply must be paid": a B2B service provider which collects payment after services are rendered is knowingly taking on credit risk and has already priced non-collectability of some accounts into their services. You may be overestimating how much drama is required for someone at their company to say "Wow, really? OK, sorry about that. I'll write it off."

This is one of many, many, many reasons why we don't generally do cost-based pricing and, when we do do cost-based pricing, the markup is absolutely phenomenal. It has to include risk premiums. As long as it do include risk premiums, you don't have to sweat the small stuff like e.g. an uncollectable $4k invoice. (n.b. Small stuff! $4k hiccups are utterly routine events and largely dealt with by processes rather than by treating them as sudden emergencies, even if they feel like that to natural humans.)

1. Report the incident to the police. Right now.

2. Report it to the VPS provider. Explain that you've reported it to the police. Ask for their cooperation in investigating the problem.

You do not have to pay. If they try to force you to pay, depending on your country, you'll probably end up in small claims court where you'll find judges are very reasonable people who usually side with the little guy. (IANAL)

I've been in the exact same situation with AWS ( http://cl.ly/SHOu ).

It was a nerve recking couple of days but I contacted AWS support and they were extremely good. They helped me secure my machine and then cancelled the 1.4K payment they were going to take from my account.

In all the whole process took 2.5 weeks and I only had to pay $15 for the I/O requests.

The best thing I can recommend is to talk to your host and tell them honestly you can't pay that much and you weren't the cause of the charges either.

I work for a VPS provider in the US. These situations are common and we usually just issue a credit and give a reminder to the customer to please secure their server

That brings me to my point. How did the hack occur? When you get a VPS you are fully responsible for what goes on in there. It is your responsibility to secure it and keep it updated. It's not the provider's fault you did not apply the latest security updates. It's not the provider's fault your Java application was using outdated and vulnerable libraries nor is it their fault you didn't set a CAPTCHA in front of your submission forms. Either hire a competent sysadmin if you can't take care of that yourself or find a provider that offeres managed hosting instead of a VPS, as that's what you'd most likely need.

There are some cases where it's the provider's fault such as the Linode BitCoin hack a few years back but mostly it's just poor server maintenance

I work for a company that provides VPSes. In a situation like this, they can see the usage is aberrant and they can see it's not normal based on past bills. They'd likely offer a large credit if you say you didn't intend to do this, and it doesn't look like a fraudulent account. That being said, they themselves probably have bandwidth costs, and are not at all likely to forget all of the charge, perhaps half at best.

Stop using providers which charge a ridiculous price for bandwidth (like AWS). There are many excellent alternatives where a TB costs only a few dollars/euros.

I would begin by contacting your VPS provider, explaining the circumstances which caused the bill, and asking "What are our options?"

Have you talked to your VPS provider? They should be able to cut you a break; after all, that 40TB of traffic cost them only a small fraction of what they're charging you, so if they're reasonable you should at least be able to get them to reduce the charges to their actual cost.

You might also offer to suggest writing up a post mortem for them, that they can provide to their customers as a lesson/tutorial on how to protect a VPS.

Finally, you can suggest that they might want to implement (and perhaps help them implement it) some kind of warning system, i.e., if a VPS suddenly begins using exorbitant amounts of bandwidth, and far more bandwidth than it ever has before, they really should email/text the owner an alert within 24 hours — not let it go on for 6 weeks. I'm surprised that they don't cap/throttle the bandwidth once you go over your plan's limit, to go along with sending you alerts. It borders on negligence on their part that they don't already have such a system in place.

Depends on your provider. Amazon AWS is known to have waived such bills in the past, see for example http://readwrite.com/2014/04/15/amazon-web-services-hack-bit...

To prevent such incidents Linode have alerts of traffic/cpu/disk thresholds. For example you can configure notification if your bandwidth utilization more than N Mbit/s in duration more than N minutes. Very useful for DDoS prevention.

I had something similar happen with AWS but the bill wasn't as high since they ended up flagging my box as spam-producing and shut off all outbound traffic. I'd just ask them and see if they can remove the charges, it worked in my case.

I had the same thing happen to me. I wrote about it on my blog http://mattarkin.com/protect-your-azure-linux-vm-aka-how-to-.... Basically I complained to Microsoft, they said they'd waive the charge but since it was for a linux vm they said they couldn't cover it. Then I complained to American Express claiming it was an unauthorized and fraudulent charge. Amex sent the dispute to Microsoft and they never responded so I wont the chargeback.

I can understand how that could happen and what a problem it would be. I had an experience with a telephone bill myself, but the story is not going to help you.

I would suppose your first and best resort is to consult your lawyer, advocate, solicitor, barrister, Anwalt. I wonder what your relevant legal jurisdiction is.

I wonder whether it would help if you can account for your own whereabouts and your own usage of endpoint data services. I wonder if your method of payment to your VPS provider is mediated by a financial service that can help you dispute the bill.

I am not a lawyer.

I assume you are in europe. I'd suggest simply talking with your provider, explaining the issue and asking them to investigate. I honestly expect them to cooperate and be understanding.

If they insist for you to pay: simply don't. State the truth: You can't afford it. Tell them the only way they will see this money is by taking legal action against you and even in that case you won't be able to comply - as you don't have the money.

Hope it helps :(

Just in addition to some other helpful comments: based on posting I assume that your are Dutch or Belgian, located in Europe and are buying this VPS as a private consumer, not a company.

Which means your case is probably covered by consumer protection rules when it comes to informing you about data usage, and I seriously doubt a VPS provider has covered their ass as well as mobile providers tend to do.

Anyone have tips on how to secure their Linux VPS? I just set one up and disabled SSH password login, locked down all the ports with iptables (using ufw), and enabled fail2ban. Anything else I should install or configure to make myself a little more secure? Was considering tripwire but I dunno how much a headache it would be with false positives as I change things on the server.

PSA: Set up billing alerts! You should always have a notification sent to you when your monthly bill exceeds one or more dollar amounts. For example, if you're using AWS, Amazon CloudWatch lets you set an alarm on a billing metric to notify you automatically.

Post on WebHostingTalk.com - just do it. You'll get attention from the host, other hosts who will sympathize, and you'll see that they'll just write it off.

Post the link when you do and I'll be sure to comment on it (I'm somewhat very-active at WHT)

I seem to be missing something. You knew it was happening when you got the first bill, but let it continue for another half month before shutting it down?

In addition to the other comments, make it absolutely clear to them (with proof if needed) that you're a student.

Make sure Elastic Search is not accessible from a public IP address (this is what likely got you in the mess to begin)

Do you know how you got hacked?

cut your credit card report it as stolen tell the host that it wasn't u :p

I feel really sorry for you situation. I first suggest talking to the hosting provider and explain what happened. Any decent service will give some discount in this case.

Unfortunately, I can't think of anything else. I wish it was realistic to tell you to go to the police.

Also, if you would give your email, I would definitely consider sending a donation through paypal... Hopefully other readers here will do the same.