Any detective to help with quest? Virus/worm on Ubuntu. Can not connect :(

Posted August 29, 2016 2.7k views
UbuntuApacheNetworkingLinux Commands

I have 512 MB Memory / 20 GB Disk / AMS3 - Ubuntu LAMP on 14.04 droplet.

I have installed Prestashop.

It was working for few months. But now it does not. Now:

  1. Does not ping from outer world (“Request timeout for icmp_seq 0”.)
  2. Ic an not ssh to it (“ssh: connect to host 188.166.xx.xx port 22: Operation timed out”)
  3. I can access it only with native DigitalOcean Droplet Console.

In DigitalOcean Droplet Panel I see:

  1. CPU usage almost constantly around 13%. (12 aug 2016 — CPU dropped from 14.5% avg flat to 13% avg flat.)
  2. Public in/outbound: 0.
  3. Constantly I see writing to disk: 0.6Mb/s At around 17:30 every day I see regular spike to CPU 19%, Disk read 1Mb/s, Disk write 1Mb/s.

If from the DigitalOcean Droplet Console:

  1. I can not ping
  2. Can not see process list with ps or top — it hangs forever. Until I restart the Droplet.

I have created another Droplet. But from there I can not connect to my first droplet neither:
root@ubuntu-512mb-ams3-01:~# ssh 188.166.xx.xx -v -v -v
OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g-fips 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: /etc/ssh/ssh_config line 59: Applying options for *
debug2: resolving "188.166.xx.xx" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 188.166.xx.xx port 22.
debug1: connect to address 188.166.xx.xx port 22: No route to host
ssh: connect to host 188.166.xx.xx port 22: No route to host

Same “No route to host” if I go to “First” droplet and try to ssh to the “New” one.

The “First” Droplet Console lags quite a lot comparing to “New” one. So something is running there, but I can not see a process list.

Please help to either restore proper control.
To copy DB data and archived prestashop. (Already did tgz and mysqldump.)

Maybe list me some commands you think might try. I would really appreciate your help, guys!

  • Can you share the output of the command ifconfig on your droplet? This will show your configured network interfaces. I think that while it’s possible that an infection or compromise is the root cause, the fact that your network is unavailable points me away from that possibility simply because a compromised server is only useful if the attacker can use it and they can only use it if they can connect to it.

    If you havent already, I would also recommend opening a ticket with our support team so they can take a look and see if there is anything they are seeing to explain the loss of network connectivity.

  • Link encap :Ethernet 
    HWaddr 04:01:45:19:61:01 
    inet addr : 188 . 166 .40 .xx 
    Bcast : 188 . 166 .63 .255 Mask: 
    RX packets:0 errors:0 dropped:0 ouerruns : 0 frame:0 
    TX packets:0 errors:0 dropped:0 ouerruns : 0 carrier:0 collisions:0 txqueue len : 1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 
    Link encap:Local Loopback 
    inet addr: Mask: 
    inet6 addr: ::1/128 Scope:Host 
    UP LOOPBACE BUMMING MTU:65536 Metric:1 
    RX packets:193841 errors:0 dropped:0 ouerruns:0 frame:0 
    TX packets:193841 errors:0 dropped:0 ouerruns:0 carrier:0 collisions:0 txqueuelen:0
    RX bytes:15606974 (15.6 MB) TX bytes:15606974 (15.6 MB) 

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
1 answer

Resolved: OK, so the problem was that Digital Ocean disabled my Droplet (and they sent an email with notification which I did not see). They did it because some malware crawled thru Prestashop and was a part of DoS attack to somewhere.

So I had to use their web console to log in and make a database dump, make a zip backup of all files. So now they will move the data to separate Droplet, and old one will have to be destroyed or rebuilt (to retain IP).