I purchased three droplets yesterday, one with a strong password, two with a very weak password (1 in SGP, 1 in BLR). When I check my email this morning, DO Is warning me about two of my droplets with weak password were being used for a DDOS attack (Consumes 3.84TB of Bandwidth before DO cut the network of my droplets). My first assumption was my droplets are infected by malware. I wondered did a person just ssh into my machine and download some malware? And how should i recover my data from it?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Hey friend,
Great question. Every server which is online is under constant attack over SSH when on port 22 (not to imply that changing port is more secure), at the very least. If you had an easy password, they likely slipped right in and planted their malware. It isn’t usually a human doing the work, it’s all automated.
If you just spun up these servers yesterday, I’d suggest you might be able to spare the data on them and just destroy the droplets. If you really need the data off, you’ll need to work with our Trust & Safety team to have them re-enable networking after you’ve booted from our recovery ISO:
https://www.digitalocean.com/docs/droplets/resources/recovery-iso/
Jarland
