Hackers and Attackers

When I ssh’ed into two of my accounts on ‘’, I saw

Last login: Sat Jan 11 01:22:17 2020 from and this Last login: Sun Jan 12 17:05:12 2020 from

Any chance this is from D.O. maintainence? Do you recognize these IP addresses? Is there any way I can tell which authentication mechanism they have accessed? IE, have they broken my passwords? Have they broken in through SSH attacks?

whois is located in Downsville, NY 13755.


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Hi @stephenwitheywrightSquid,

The IP doesn’t seem to be one of DigitalOcean’s ranges. Additionally personnel from DigitalOcean will not access your droplet.

As to the methods they’ve used, firstly, confirm what methods of authentication you have. DigitalOcean’s droplets come with enabled only PublicKey authentication however if you’ve enabled your password authentication as well, most likely that was the way they access your droplet.

Additionally, it’s possible the attackers used an exploit on one of your service .

Now, there is no way to know the exact damage they have caused so I’ll recommend the following :

  • If you have a backup of the droplet, revert to it and update everything. If you have any outdated service like PHP,Nginx,MySQL and so on, update them to the latest one.

  • If you don’t have a backup, you’ll need to built a new droplet. There is no other way around it. Having said that before you put your website/application on your new droplet, make sure to check your website if anything has been put there as a backdoor. Once you are sure there hasn’t you can go ahead and migrate it to your new droplet.

As to check how was your droplet accessed, you can search your /var/log/messages and /var/log/secure. The information is contained there. Unless it has been removed by the people that got access to your droplet.

Regards, KDSys