Any detective to help with quest? Virus/worm on Ubuntu. Can not connect :(

August 29, 2016 212 views
Apache Networking Linux Commands Ubuntu

I have 512 MB Memory / 20 GB Disk / AMS3 - Ubuntu LAMP on 14.04 droplet.

I have installed Prestashop.

It was working for few months. But now it does not. Now:

  1. Does not ping from outer world ("Request timeout for icmp_seq 0".)
  2. Ic an not ssh to it ("ssh: connect to host 188.166.xx.xx port 22: Operation timed out")
  3. I can access it only with native DigitalOcean Droplet Console.

In DigitalOcean Droplet Panel I see:

  1. CPU usage almost constantly around 13%. (12 aug 2016 — CPU dropped from 14.5% avg flat to 13% avg flat.)
  2. Public in/outbound: 0.
  3. Constantly I see writing to disk: 0.6Mb/s At around 17:30 every day I see regular spike to CPU 19%, Disk read 1Mb/s, Disk write 1Mb/s.

If from the DigitalOcean Droplet Console:

  1. I can not ping
  2. Can not see process list with ps or top — it hangs forever. Until I restart the Droplet.

I have created another Droplet. But from there I can not connect to my first droplet neither:
root@ubuntu-512mb-ams3-01:~# ssh 188.166.xx.xx -v -v -v
OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g-fips 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: /etc/ssh/ssh_config line 59: Applying options for *
debug2: resolving "188.166.xx.xx" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 188.166.xx.xx port 22.
debug1: connect to address 188.166.xx.xx port 22: No route to host
ssh: connect to host 188.166.xx.xx port 22: No route to host

Same "No route to host" if I go to "First" droplet and try to ssh to the "New" one.

The "First" Droplet Console lags quite a lot comparing to "New" one. So something is running there, but I can not see a process list.


Please help to either restore proper control.
To copy DB data and archived prestashop. (Already did tgz and mysqldump.)

Maybe list me some commands you think might try. I would really appreciate your help, guys!

  • Can you share the output of the command ifconfig on your droplet? This will show your configured network interfaces. I think that while it's possible that an infection or compromise is the root cause, the fact that your network is unavailable points me away from that possibility simply because a compromised server is only useful if the attacker can use it and they can only use it if they can connect to it.

    If you havent already, I would also recommend opening a ticket with our support team so they can take a look and see if there is anything they are seeing to explain the loss of network connectivity.

  • Link encap :Ethernet 
    HWaddr 04:01:45:19:61:01 
    inet addr : 188 . 166 .40 .xx 
    Bcast : 188 . 166 .63 .255 Mask: 
    RX packets:0 errors:0 dropped:0 ouerruns : 0 frame:0 
    TX packets:0 errors:0 dropped:0 ouerruns : 0 carrier:0 collisions:0 txqueue len : 1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 
    Link encap:Local Loopback 
    inet addr: Mask: 
    inet6 addr: ::1/128 Scope:Host 
    UP LOOPBACE BUMMING MTU:65536 Metric:1 
    RX packets:193841 errors:0 dropped:0 ouerruns:0 frame:0 
    TX packets:193841 errors:0 dropped:0 ouerruns:0 carrier:0 collisions:0 txqueuelen:0
    RX bytes:15606974 (15.6 MB) TX bytes:15606974 (15.6 MB) 
1 Answer
grammer September 5, 2016
Accepted Answer

Resolved: OK, so the problem was that Digital Ocean disabled my Droplet (and they sent an email with notification which I did not see). They did it because some malware crawled thru Prestashop and was a part of DoS attack to somewhere.

So I had to use their web console to log in and make a database dump, make a zip backup of all files. So now they will move the data to separate Droplet, and old one will have to be destroyed or rebuilt (to retain IP).

Have another answer? Share your knowledge.