DigitalOcean

Report this

What is the reason for this report?
Question

My droplet has been compromised and is sending an outgoing Flood or DDoS. What do I do?

Posted on May 25, 2014
Will Rowe

By Will Rowe

Here is some advice for trying to find evidence of virus and trojans on your server causing issues.

Log into your server using the console in our control panel.

The link looks like this:

<strong>https://cloud.digitalocean.com/droplets/<code>XXXXX</code>/console</strong>

where <code>XXXXX</code> is your droplet’s ID.

You’ll need a password for root, so if you don’t have one please contact support for further advice.

On the console once logged in, use one of these commands to try to find a unfamiliar process running:

This command, if installed, shows programs holding open a network socket.

<pre> lsof -i </pre>

This command will show all running processes:

<pre> ps -ef </pre>

adding a pipe to a output paging program may help for long output, example:

<pre> lsof -i | less ps -ef | less </pre>

This command, if you replace <code>XXXX</code> with a Process ID (PID) will show you the path to a executable file that is the origin of a process:

<pre> ls -al /proc/<code>XXXX</code>/exe </pre>

Common places trojans hide are /boot /tmp /run and /root. This command you can list all content, including “dot files”, in /boot

<pre> ls -al /boot </pre>

If you find something you know is foreign, check the ownership of the files for hints on what user privileges were used to instal the code, kill the process, remove the files, and review your log files to try to find out how the code was installed so that you can work on preventing it form happening again.

If you need any advice, send support whatever data you are looking at that you need help with and they will try to point you in the right direction. The best way is to screenshot the console showing the data you are uncertain of, upload to a file sharing service (ex: imgur.com, dropbox.com) and send the URL in the ticket.

Some programs that may also help are:

<ul> <li>rkhunter</li> <li>chkrootkit</li> <li>maldet</li> <li>clamscan</li> </ul>

If you can’t find anything, let support know via a support ticket for advice.

If you have success finding stuff, post your results here to help other people, and if you have suggestions for updates to this please add a comment below!

Regards, Will Support Agent DigitalOcean



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
vc
vc
October 7, 2014

Block the droplet network its an insane action. At least you should notify with 2 or 3 days before. Specially when the support team takes more than 2 hour to reply.

I’m so frustrated. Also moving to vultr.

0
debbieirlandoma
debbieirlandoma
February 25, 2018

Help me please, my server lose connection or disable.

Can you help me, because my data in droplet very important. 2 years i use digitalocean, but my server and data lose everything.

im sad, ticket not respon. :( help me. pleaseee, help me pleasee…

0
nnmer
nnmer
January 8, 2015

My droplet was block today as well. Trying to figure out what happened, did all proposed steps in this article and provided links - everything were looking OK.

I’ve checked my fail2ban log - were a lot of ban/unban the same scope of IP addresses, from all around the globe. But again, no strange processes, no strange files in directories…

Except one, /tmp/.tmp The content is:

-rw-r--r-- 1 nobody nogroup  129462 Jan      7  01:48  5k.txt 
-rw-r--r-- 1 nobody nogroup        1192 Dec  20  20:03  e
-rw-r--r-- 1 nobody nogroup        1135 Jan     7   01:33  new.html
-rw-r--r-- 1 nobody nogroup        490 Jan     7   01:49  ok
-rw-r--r-- 1 nobody nogroup  238443 Jan     7   01:55  okay

5k.txt - is the list of 5k email addresses e - the perl script to send emails **new.html **- email content ok - getting the e file from remote host log, the remote address is http://www.navigator-dv.ru/libraries/phputf8/utils/.s/e
with ip address 92.53.113.61 okay - the log of sent emails

crontab doesn’t have the record to start this e script. SO, I assume that is one time script… or I miss something and there is a way to relaunch it?

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.