Hackers and Attackers

January 14, 2020 116 views
DigitalOcean Accounts

When I ssh'ed into two of my accounts on ‘powerofdifference.org’, I saw

Last login: Sat Jan 11 01:22:17 2020 from 50.108.193.47
and this
Last login: Sun Jan 12 17:05:12 2020 from 50.108.193.47

Any chance this is from D.O. maintainence? Do you recognize these IP addresses? Is there any way I can tell which authentication mechanism they have accessed?
IE, have they broken my passwords? Have they broken in through SSH attacks?

whois 50.108.193.47 is located in Downsville, NY 13755.

1 Answer

Hi @stephenwitheywrightSquid,

The IP 50.108.193.47 doesn’t seem to be one of DigitalOcean’s ranges. Additionally personnel from DigitalOcean will not access your droplet.

As to the methods they’ve used, firstly, confirm what methods of authentication you have. DigitalOcean’s droplets come with enabled only PublicKey authentication however if you’ve enabled your password authentication as well, most likely that was the way they access your droplet.

Additionally, it’s possible the attackers used an exploit on one of your service .

Now, there is no way to know the exact damage they have caused so I’ll recommend the following :

  • If you have a backup of the droplet, revert to it and update everything. If you have any outdated service like PHP,Nginx,MySQL and so on, update them to the latest one.

  • If you don’t have a backup, you’ll need to built a new droplet. There is no other way around it. Having said that before you put your website/application on your new droplet, make sure to check your website if anything has been put there as a backdoor. Once you are sure there hasn’t you can go ahead and migrate it to your new droplet.

As to check how was your droplet accessed, you can search your /var/log/messages and /var/log/secure. The information is contained there. Unless it has been removed by the people that got access to your droplet.

Regards,
KDSys

Have another answer? Share your knowledge.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!