Droplets got infected by Bot-Net Malware

December 26, 2018 686 views
Networking Ubuntu 18.04

I purchased three droplets yesterday, one with a strong password, two with a very weak password (1 in SGP, 1 in BLR). When I check my email this morning, DO Is warning me about two of my droplets with weak password were being used for a DDOS attack (Consumes 3.84TB of Bandwidth before DO cut the network of my droplets). My first assumption was my droplets are infected by malware. I wondered did a person just ssh into my machine and download some malware? And how should i recover my data from it?

1 Answer
jarland MOD December 27, 2018
Accepted Answer

Hey friend,

Great question. Every server which is online is under constant attack over SSH when on port 22 (not to imply that changing port is more secure), at the very least. If you had an easy password, they likely slipped right in and planted their malware. It isn't usually a human doing the work, it's all automated.

If you just spun up these servers yesterday, I'd suggest you might be able to spare the data on them and just destroy the droplets. If you really need the data off, you'll need to work with our Trust & Safety team to have them re-enable networking after you've booted from our recovery ISO:

https://www.digitalocean.com/docs/droplets/resources/recovery-iso/

Jarland

Have another answer? Share your knowledge.