Question

Digital Ocean disabled network on our drople even when our server is no longer compromised

abuse request: [ ref:_00Df218t5m._5004P1rMkLV:ref ]

This droplet is 5 year old and setup with “serverpilot” and auto security updates/firewall is checked according to.

On 1st April our network was disabled. I started by responding to abuse request, digital ocean restored the network and we managed to find and remove the malware on our server, it was simply a rogue PHP script uploaded by attacker to our Wordpress upload folder and executed by crontab.

I deleted the crontab entry and deleted the malicious PHP file. After that I continued monitoring network and everything was normal.

I told digital ocean all this and everything was back to normal.

Now today on 5th April, suddenly our droplet’s network is again turned off and I see “abuse request” yes update on the previous abuse request with a log entry like this:

[28/Mar/2022:09:38:36 +0000] “POST /xmlrpc.php HTTP/1.1” 403 170 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0” “-” Time Zone: UTC

But we fixed the server on 1st April then what’s the point of turning off our network based on log report from past the day (28th march?) we fixed the malware?

Do they expect us to time travel and fix the issue?

Anyways, now digital ocean has gone silent and doesn’t reply anymore!

I am agreeing to destroy this droplet but please at least let move our data off the server? We just need 3 hours for this. This is very difficult using “recovery iso” as we need to chroot and then start services to dump data.

Our server is now longer compromised yet I will happily delete it but please let us move our data.

abuse request: [ ref:_00Df218t5m._5004P1rMkLV:ref ]


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Hey @eli-xir,

I’m sorry to hear of your troubles! In our public community, we aim to answer open questions about anything SysAdmin, DigitalOcean and beyond. However, we don’t ever access personal account information here. This means we can’t provide help with any account or billing-related issues.

Do you have a ticket number from when you contacted our support team so that I can get this followed up for you?

Hoping I can at least speed up the process for you!

Hope that helps! - KFSys.

I’ve no idea what kind of people work at digital ocean who randomly disable network based on “old report” and don’t even care to check updates on the abuse request ticket before taking action.