Any detective to help with quest? Virus/worm on Ubuntu. Can not connect :(

I have 512 MB Memory / 20 GB Disk / AMS3 - Ubuntu LAMP on 14.04 droplet.

I have installed Prestashop.

It was working for few months. But now it does not. Now:

  1. Does not ping from outer world (“Request timeout for icmp_seq 0”.)
  2. Ic an not ssh to it (“ssh: connect to host 188.166.xx.xx port 22: Operation timed out”)
  3. I can access it only with native DigitalOcean Droplet Console.

In DigitalOcean Droplet Panel I see: Graphs:

  1. CPU usage almost constantly around 13%. (12 aug 2016 — CPU dropped from 14.5% avg flat to 13% avg flat.)
  2. Public in/outbound: 0.
  3. Constantly I see writing to disk: 0.6Mb/s At around 17:30 every day I see regular spike to CPU 19%, Disk read 1Mb/s, Disk write 1Mb/s.

If from the DigitalOcean Droplet Console:

  1. I can not ping
  2. Can not see process list with ps or top — it hangs forever. Until I restart the Droplet.

I have created another Droplet. But from there I can not connect to my first droplet neither:

OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g-fips  1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: /etc/ssh/ssh_config line 59: Applying options for *
debug2: resolving "188.166.xx.xx" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 188.166.xx.xx port 22.
debug1: connect to address 188.166.xx.xx port 22: No route to host
ssh: connect to host 188.166.xx.xx port 22: No route to host```

Same "No route to host" if I go to "First" droplet and try to ssh to the "New" one.

The "First" Droplet Console lags quite a lot comparing to "New" one. So something is running there, but I can not see a process list.


Please help to either restore proper control.
To copy DB data and archived prestashop. (Already did tgz and mysqldump.)

Maybe list me some commands you think might try. I would really appreciate your help, guys!
Link encap :Ethernet 
HWaddr 04:01:45:19:61:01 
inet addr : 188 . 166 .40 .xx 
Bcast : 188 . 166 .63 .255 Mask: 
RX packets:0 errors:0 dropped:0 ouerruns : 0 frame:0 
TX packets:0 errors:0 dropped:0 ouerruns : 0 carrier:0 collisions:0 txqueue len : 1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 

Link encap:Local Loopback 
inet addr: Mask: 
inet6 addr: ::1/128 Scope:Host 
RX packets:193841 errors:0 dropped:0 ouerruns:0 frame:0 
TX packets:193841 errors:0 dropped:0 ouerruns:0 carrier:0 collisions:0 txqueuelen:0
RX bytes:15606974 (15.6 MB) TX bytes:15606974 (15.6 MB) 

Can you share the output of the command ifconfig on your droplet? This will show your configured network interfaces. I think that while it’s possible that an infection or compromise is the root cause, the fact that your network is unavailable points me away from that possibility simply because a compromised server is only useful if the attacker can use it and they can only use it if they can connect to it.

If you havent already, I would also recommend opening a ticket with our support team so they can take a look and see if there is anything they are seeing to explain the loss of network connectivity.

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Accepted Answer

Resolved: OK, so the problem was that Digital Ocean disabled my Droplet (and they sent an email with notification which I did not see). They did it because some malware crawled thru Prestashop and was a part of DoS attack to somewhere.

So I had to use their web console to log in and make a database dump, make a zip backup of all files. So now they will move the data to separate Droplet, and old one will have to be destroyed or rebuilt (to retain IP).