Hello after days of frustration finally i discovered a rootkits that grant shell access to my sites on my Droplet. I discovered it because, spammer delete admin account on one of my sites. (all wordpress)
I deleted all file created but still file recreated few minutes after deletion
Please how i can stop this? Any help will be appreciate Thank you
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
before try make new droplet i want try remove all malware, just now i start a scan with clamscan, but i have not set password for access to droplet i just use a private ssh key
this is one of the script i found: https://code.google.com/archive/p/b374k-shell/
I found this in auth log
Mar 2 13:45:38 localhost sshd[4525]: Invalid user billing from 115.28.110.195
Mar 2 13:45:38 localhost sshd[4525]: input_userauth_request: invalid user billing [preauth]
Mar 2 13:45:38 localhost sshd[4525]: pam_unix(sshd:auth): check pass; user unknown
Mar 2 13:45:38 localhost sshd[4525]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.28.110.195
Mar 2 13:45:41 localhost sshd[4525]: Failed password for invalid user billing from 115.28.110.195 port 53260 ssh2
Mar 2 13:45:41 localhost sshd[4525]: Received disconnect from 115.28.110.195: 11: Bye Bye [preauth]
Mar 2 13:45:42 localhost sshd[4523]: reverse mapping checking getaddrinfo for ppp-102-146.24-151.wind.it [151.24.146.102] failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 2 13:45:44 localhost sshd[4523]: Accepted publickey for root from 151.24.146.102 port 64216 ssh2: RSA 7c:0d:d9:a6:82:8b:56:e4:13:1a:d0:38:49:45:28:78
Mar 2 13:45:44 localhost sshd[4523]: pam_unix(sshd:session): session opened for user root by (uid=0)
Mar 2 13:45:44 localhost systemd-logind[806]: New session 3 of user root.
Mar 2 13:47:39 localhost sshd[4617]: Invalid user ftp from 123.59.134.76
Mar 2 13:47:39 localhost sshd[4617]: input_userauth_request: invalid user ftp [preauth]
Mar 2 13:47:39 localhost sshd[4617]: pam_unix(sshd:auth): check pass; user unknown
Mar 2 13:47:39 localhost sshd[4617]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=123.59.134.76
Mar 2 13:47:42 localhost sshd[4617]: Failed password for invalid user ftp from 123.59.134.76 port 43310 ssh2
Mar 2 13:47:42 localhost sshd[4617]: Received disconnect from 123.59.134.76: 11: Bye Bye [preauth]
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.