Hacker using Digital Ocean IPs

September 1, 2017 1.1k views
DigitalOcean Security

I report a particular hacker using Digital Ocean on nearly a daily basis. I supply logs to show the hacker access to my droplet. I provide links to abusedb.com to show the IP is being used for hacking.

What does it take for Digital Ocean to simply refuse to provide a user service when they are demonstratively show to be a bad actor?

3 Answers

Are you using tickets? I doubt you'll get much done by creating a ticket. I suggest you send them an email to abuse@digitalocean.com with all the information regarding users malicious actions.
All hosting companies will have people who abuse their services and to be honest with you not many of them do much about it anyway.

  • I use abuse@digitalocean.com.

    I don't report the scrapers, wordpress hackers, port sniffers, etc. However email is sacred because if you have a bad actor in your IP space, some RBL will block the entire IP space in some of their more aggressive lists. As you probably know, the RBL providers are mighty useless regarding why you are on the list, presumably so you don't discover how to avoid their spammer detector. Frankly given the poor job Digital Ocean does on blocking this hacker, I don't blame the RBLs for blocking an entire chunk of Digital Ocean. I would do the same thing since the hacker has been operational for months.

    Personally when you have over 100 RBL providers, there is simply something suspicious. I've heard some are shakedown artists. Pay them money not to be on the list. I try to get some hosting companies to drop the slime RBLs like spamrl, but it isn't easy.

I just got hit by a script kiddie, using DigitalOcean to brute force ssh.

current IP of the attacker (as of 9th january, 2018):

I guess this is the dude you're talking about.
If I/you/we are lucky, DI sysops might see this post - and will do SOMETHING.

I've basically given up on the sys admins to block the DO hackers. I assume this is a problem on all VPSs, given the cost we pay these days. That is, I used to get hacked without mercy from Linode until I blocked most of Linode. I have slowly put together the IP space of DO as I've been hacked. Don't expect perfection, but it will block many DO droplets.
DO IP space
It expires in a week, but just ask again if you need it.

I'm probably stating the obvious here, and this is hardly the only solution, but my workflow is look up the IP on ip2location.com. Once I determine it is a datacenter, VSP, VPN or what I determine to be a trouble maker, I put the IP address into bgp.he.net and get the AS. You can either block the one CIDR from bgp.he.net, or you can look at the IPV4 space list and select the matching names.

For example, from my nginx log:

400 - - [17/Jan/2018:03:42:43 +0000] "SSH-2.0-Go" 173 "-" "-" "-"

Clearly an IP that isn't going to do any browsing. Ip2location show that IP is at DO SFO. The associated CIDR is, which you can block in the firewall of your choice from everything but maybe port 25 should you want email from the hacker.

bgp.he.net identifies the IP as the infamous stretchoid hacker, or researcher if you believe them. (zg-1222a-94.stretchoid.com) 

Shocker, it is in the abuse database. ;-) The IP CIDR is in AS14061. The associated IPV4 space is at
which is not exclusively DO. You can cut, paste, sed the results to get it in the form you want.

There are other ways to get the contents of an AS, but they don't seem to be up to date. That is bgp.he.net has more IP CIDRs. Here is one example of how to enumerate an AS.
[list AS]https://www.linkedin.com/pulse/autonomous-system-lookup-using-command-line-linux-mezgani-ali()

Have another answer? Share your knowledge.