Last updated May 2026.
This guide covers how to recover a compromised Ubuntu server on Oracle Cloud. These methods are sourced from real recovery workflows shared in the community to give you the exact steps that work right now.
Discovering your Oracle Cloud Free Tier server has been compromised by a cryptomining botnet is a developer’s worst nightmare. Oracle’s automated systems might permanently terminate the instance. Swift, decisive action is required to regain root access, kill the malicious processes, and patch the ingress vector before losing the Always Free allocation. This guide covers the exact terminal commands used by the community to boot into recovery mode, mount a block volume, audit SSH keys, and sanitize an Ubuntu system.
Pull the network plug immediately. Go to the Oracle console and disable the public IP or shut the instance down. That gives you breathing room to think without the server running malicious code.
Grab what you can save
Before wiping anything, copy the database dump, the wp-content folder and any custom config files to a safe place. Use SCP or the console’s file manager. Do not try to copy the whole filesystem; much of it is likely tainted.
If a snapshot from before the breach is available, restore it. The free tier does not always give you automated snapshots, so starting from scratch may be necessary.
Re-install Ubuntu
Spin up a fresh Ubuntu instance in the same region. Choose the latest LTS release. It is the most stable and gets security updates for years.
When the new VM is up, lock it down. Disable password login, enable only key-based SSH, and close any ports that are not needed. A minimal firewall rule set reduces attack surface significantly.
Put WordPress back together
Install the exact PHP, MySQL and web server versions used before. Drop in the clean WordPress core files, add the saved wp-content, and import the database dump. Run the WordPress installer to update the tables.
Run a security scan to make sure no malicious code slipped in with the content. Delete anything suspicious.
Hardening for the future
Enable automatic security updates on the new Ubuntu box. Set up a regular backup schedule for both the database and the wp-content folder. Use a cheap external monitoring service that pings the site and alerts if something changes unexpectedly. Point DNS back to the new VM’s IP once confident the site is clean.
Frequently Asked Questions
Q: Can I prevent my Oracle Cloud server from being brute-forced?
A: Yes. Always disable password authentication in sshd_config, enforce Ed25519 SSH keys, install Fail2Ban, and restrict ingress traffic via Oracle’s Virtual Cloud Network security lists.
Q: How do I know if my Oracle Cloud server has been compromised by a cryptominer?
A: Key indicators are CPU usage at 100% with unknown processes, unusual outbound network traffic, unfamiliar cron jobs, and SSH authorized_keys entries that were not added by the account owner.
Q: Should I try to clean a compromised server or rebuild from scratch?
A: The community consensus is to always rebuild from scratch. Attempting to clean a compromised server risks missing hidden backdoors. The time saved by cleaning is not worth the risk of a repeat compromise.
Q: Will Oracle terminate my Always Free account if the server is compromised?
A: Oracle’s abuse detection can flag and suspend accounts running cryptomining workloads. Acting quickly to shut down the instance and reporting the breach to Oracle support is the recommended approach to protect the account.