Any detective to help with quest? Virus/worm on Ubuntu. Can not connect :(

I have 512 MB Memory / 20 GB Disk / AMS3 - Ubuntu LAMP on 14.04 droplet.

I have installed Prestashop.

It was working for few months. But now it does not. Now:

  1. Does not ping from outer world (“Request timeout for icmp_seq 0”.)
  2. Ic an not ssh to it (“ssh: connect to host 188.166.xx.xx port 22: Operation timed out”)
  3. I can access it only with native DigitalOcean Droplet Console.

In DigitalOcean Droplet Panel I see: Graphs:

  1. CPU usage almost constantly around 13%. (12 aug 2016 — CPU dropped from 14.5% avg flat to 13% avg flat.)
  2. Public in/outbound: 0.
  3. Constantly I see writing to disk: 0.6Mb/s At around 17:30 every day I see regular spike to CPU 19%, Disk read 1Mb/s, Disk write 1Mb/s.

If from the DigitalOcean Droplet Console:

  1. I can not ping
  2. Can not see process list with ps or top — it hangs forever. Until I restart the Droplet.

I have created another Droplet. But from there I can not connect to my first droplet neither:

OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g-fips  1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: /etc/ssh/ssh_config line 59: Applying options for *
debug2: resolving "188.166.xx.xx" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 188.166.xx.xx port 22.
debug1: connect to address 188.166.xx.xx port 22: No route to host
ssh: connect to host 188.166.xx.xx port 22: No route to host```

Same "No route to host" if I go to "First" droplet and try to ssh to the "New" one.

The "First" Droplet Console lags quite a lot comparing to "New" one. So something is running there, but I can not see a process list.


Please help to either restore proper control.
To copy DB data and archived prestashop. (Already did tgz and mysqldump.)

Maybe list me some commands you think might try. I would really appreciate your help, guys!
Show comments

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Accepted Answer

Resolved: OK, so the problem was that Digital Ocean disabled my Droplet (and they sent an email with notification which I did not see). They did it because some malware crawled thru Prestashop and was a part of DoS attack to somewhere.

So I had to use their web console to log in and make a database dump, make a zip backup of all files. So now they will move the data to separate Droplet, and old one will have to be destroyed or rebuilt (to retain IP).

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.