In my Google Cloud Platform, I configured one Compute Engine instance as VPN(openvpn). It was working fine until yesterday when it suddenly got stopped by Google displaying the message "This instance is stopped. Compute Engine has detected suspicious activity. Please consult the Project dashboard for more information". I appealed by going to the Google Cloud Platform console and my instance started running after some time but today it is again stopped displaying the same message. Has anyone ever been in this scenario? Or if someone can help me figure out the problem.
1
votes
Iām voting to close this question because questions about the (necessarily proprietary and subject-to-change) abuse prevention protocols used by a 3rd-party service are not amenable to canonical, provably correct answers.
ā Charles Duffy
(also, such questions are more about system administration than software development; they would be closer to on-topic at our sister site, Server Fault)
ā Charles Duffy
3 Answers
1
votes
You will received an email from [email protected] regarding your usage of the Google Cloud Platform. This generally indicates a need to clarify usage that appears to be against the Google Cloud Platform Terms of Service.
That email will contain more detailed information on how to resolve the issue.
Also, please consult our Policy violations FAQ for more information.
1
votes
Since your instance might be compromised for mining, the guest OS in that instance is not trusted anymore, the binary or command might be rewritten with mining commands.
The easiest and quickest way is to create a new instance and configure a new VPN service again if there aren't any important files in that instance.
If you were using a static external IP address that it's also possible to change associated VM instance.
The default VPC network in GCP allows SSH, ICMP, RDP from worldwide(0.0.0.0/0), so not only the VPN service can be used to hack, but also SSH or RDP.. depends on your guest operating system.
It might be hard work to analyze how the instance got compromised, you'll need to check every log entries to think about how hackers compromised your instance, Generally, they come through the services you exposed to the internet, which might be OpenVPN, SSH.
So the VPN log and the SSH log is the first step to check if you want to figure out.
0
votes
I know this is way late to respond, but as I hit a similar issue wanted to point out that there could be something else going on. If you have a VPN server running on a Compute VM in GCP, and you have configured your local VPN client to route ALL your traffic to this VPN, and furthermore your egress network rules on that VM instance allow full access to the internet, then it's possible that what is going on is that you have crypto mining happening on your local machine, but the miner's communication with the crypto network is getting routed through the Compute instance, so from the outside world it looks like that VM is the thing that is generating the mining traffic.
If that is the case, then it's possible you are running a browser tab (malicious or not) that is mining crypto using JS, or that your local machine has been compromised. You can start by installing crypto mining blockers (e.g. minerBlock) in your browser and see if you get any hits.
