My droplet has been compromised and is sending an outgoing Flood or DDoS. What do I do?

My droplet has been compromised and i create new droplet with snapshot of old one.

the new droplet has been compromised too.

how can find problem

please help me


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

In cases like you I usually recommend to ‘nuke it from orbit’. In other words, my recommendation would be to create completely new droplet, and configure it on higher security.

PRE-start: Be sure you use new password for everything on server. If you are using SSH keys, generate new pairs, in case it got compromised.

  1. Use SSH key. It is much more secure to use SSH keys instead of passwords, but please keep in safe place. Tutorial on How to use SSH keys should help you get into it.
  2. Create non-root user and make sure it uses SSH key like root user. Follow step two, three and four of Initial setup guide.
  3. Make sure you can login to your new user with key.
  4. Disable root access and password based authentication on SSH. Follow step five of Initial setup guide. In addition to that find PermitRootLogin directive to no (by default it is yes) e.g.
sshd_config — Disable root login
PermitRootLogin no

-Optional- 5. Install fail2ban for enchanted security. Fail2ban is used to ban brute force attacks against your server. Learn more about fail2ban. Beside SSH, it can be used for protecting Apache or Nginx server. 6. Install other packages but don’t use same passwords

If you are using Wordpress, research about your theme and plugins. There could be some security holes. If you are using some other random program, make sure it is secured.

Why I’m for this: You have backup, but once hole is found, there is VERY high probability that security hole existed before, even in backup. This is usually why you should start with new Droplet if possible and make high attention to security settings. If you need more help, we will try to help, but this is my usual procedure for hacked Droplets: never believe in backup, nuke it from orbit :P