My droplet has been compromised and is sending an outgoing Flood or DDoS. What do I do?
XXXXXis your droplet's ID. You'll need a password for root, so if you don't have one please contact support for further advice. On the console once logged in, use one of these commands to try to find a unfamiliar process running: This command, if installed, shows programs holding open a network socket.
lsof -iThis command will show all running processes:
ps -efadding a pipe to a output paging program may help for long output, example:
lsof -i | less ps -ef | lessThis command, if you replace
XXXXwith a Process ID (PID) will show you the path to a executable file that is the origin of a process:
ls -al /proc/Common places trojans hide are /boot /tmp /run and /root. This command you can list all content, including "dot files", in /boot
ls -al /bootIf you find something you know is foreign, check the ownership of the files for hints on what user privileges were used to instal the code, kill the process, remove the files, and review your log files to try to find out how the code was installed so that you can work on preventing it form happening again. If you need any advice, send support whatever data you are looking at that you need help with and they will try to point you in the right direction. The best way is to screenshot the console showing the data you are uncertain of, upload to a file sharing service (ex: imgur.com, dropbox.com) and send the URL in the ticket. Some programs that may also help are:
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.×