My main droplet, which I’ve had for about 5 years, has been infected with malware or something. The CPU spikes to 100% for hours at a time, and the hacker has gone in and added SSH keys of his own, adding the comment of mdrfkr to show us that he is in the droplet.
I think the best thing is to move to a new droplet, because DO says that it’s almost impossible to find and remove all malware. But what is the best way to do this? I’ve searched for “transfer” and “move” in this on-line community, but have found no good matching responses.
The website is older and uses PHP 7 along with Ubuntu 18.04.6. It also has BoogieTools installed, which is an email bounce processor. Of course there are a few POP email accounts that need to be moved over, which the hacker also messed with. I’ve never made a backup or snapshot. My existing IP address has a good email sending reputation, so I want to keep this IP if at all possible. Maybe move to a new droplet, wipe the hard drive of the first droplet, and then move everything from the new droplet back to the original one?
The hacker has caused much damage. Me and my 3 other developers can’t get rid of him, no matter what we try, including eliminating username logins, root logins, implementing the DO firewall, the UFW, etc. He is more advanced. The only way is a new droplet, but I must be careful doing this, as I don’t want to break anything.
Thank you so much for your advice!
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.