Question

My droplet has been compromised and is sending an outgoing Flood or DDoS. What do I do?

Posted May 25, 2014 124.6k views
Here is some advice for trying to find evidence of virus and trojans on your server causing issues. Log into your server using the console in our control panel. The link looks like this: https://cloud.digitalocean.com/droplets/XXXXX/console where XXXXX is your droplet's ID. You'll need a password for root, so if you don't have one please contact support for further advice. On the console once logged in, use one of these commands to try to find a unfamiliar process running: This command, if installed, shows programs holding open a network socket.
lsof -i
This command will show all running processes:
ps -ef
adding a pipe to a output paging program may help for long output, example:
lsof -i | less 
ps -ef | less
This command, if you replace XXXX with a Process ID (PID) will show you the path to a executable file that is the origin of a process:
ls -al /proc/XXXX/exe
Common places trojans hide are /boot /tmp /run and /root. This command you can list all content, including "dot files", in /boot
ls -al /boot
If you find something you know is foreign, check the ownership of the files for hints on what user privileges were used to instal the code, kill the process, remove the files, and review your log files to try to find out how the code was installed so that you can work on preventing it form happening again. If you need any advice, send support whatever data you are looking at that you need help with and they will try to point you in the right direction. The best way is to screenshot the console showing the data you are uncertain of, upload to a file sharing service (ex: imgur.com, dropbox.com) and send the URL in the ticket. Some programs that may also help are:
  • rkhunter
  • chkrootkit
  • maldet
  • clamscan
If you can't find anything, let support know via a support ticket for advice. If you have success finding stuff, post your results here to help other people, and if you have suggestions for updates to this please add a comment below! Regards, Will Support Agent DigitalOcean
10 comments
  • How can I do this if I can’t ssh, or anything to the droplet!!!!!

    I use git for transfering code to the droplet, and I’m making a web page for a fotographer so OF COURSE there are big files getting in and out.

    I think is so very irresponsible of you to just lock the droplet because of this. I have the customer on the phone complaining why the site is not updated and up, and I can’t do anything because you don’t even answer to my ticket ffs!!!!!

  • A famous columnist write my website on newspaper and also he gave a link. Therefore a lot of people want to reach my website but you stopped my service. It was not attack.

    You don’t answer to my ticket.

    Thanks Digital Ocean you are so professional.

  • How to get my files back if network is disabled?
    How can I test if I solved the problem without network?

  • Google sfewfesfs if your droplet compromised. I met this problem recently.

  • Show 6 more comments

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
46 answers
Hey Sikora,

The most common reason that we see Droplets compromised is as a result of a weak root password. One thing we recommend is making the switch to using SSH keys, which offer far greater security (and the extra benefit of never having to wait for a password e-mail!)

If you need any help with setting them up, we have a few guides on using them:

https://www.digitalocean.com/community/articles/how-to-set-up-ssh-keys--2
https://www.digitalocean.com/community/articles/how-to-use-ssh-keys-with-putty-on-digitalocean-droplets-windows-users

Of course, if you have any specific questions, or get stuck anywhere, we're happy to help you in a support ticket.

We also have a great guide on basic security steps here: https://www.digitalocean.com/community/articles/an-introduction-to-securing-your-linux-vps

Cheers,
Michael
DigitalOcean Support
by Justin Ellingwood
Linux security is a complex task with many different variables to consider. In this guide, we will attempt to give you a good introduction to how to secure your Linux server. We will discuss high-level concepts and areas to keep an eye on, with links to more specific advice.
  • So… This didn’t prevent an ‘attack’ on my droplet… I only ever use SSH keys - which of course means that I cannot log into the console since I have no password and I can’t get in from SSH since you’ve killed the network - gj! :)
    DO should probably analyse their network stack a bit better imo before pointing the blame at droplet owners…

could you please offer copy-paste function on the web-based console? It’s extremely painful to do inspection on the console without this!

I got hit by this in the last days. The attack seems to use methods similar to the one described here http://struts.apache.org/release/2.3.x/docs/s2-016.html. In short - a Java application that do not sanitize input that is later evaluated as an expression in either OGNL or MVEL scripting engines. Nothing to do with the DigitalOcean security.

In my case I had ElasticSearch bound to all network interfaces leaving it open to the world. ElasticSearch allows for scripting in some of its queries so that's for me the most probable entry point (no proof though). I also had a Jetty server running with a small java application, that's my second probable point of entry.

I've set both java processes now to bind only to local interfaces.

Some more reading (in chinese, but there are links and code samples) :
http://www.m2minfo.com/?p=731
http://bbs.51cto.com/viewthread.php?tid=1091316&page=2
Maybe follow the guide they gave you..

Block the droplet network its an insane action. At least you should notify with 2 or 3 days before. Specially when the support team takes more than 2 hour to reply.

I’m so frustrated. Also moving to vultr.

Look this is totally wrong who is this company CNSERVERS LLC who is attacking any of servers on Digital Ocean, looks like this company work to stop DDoS but they first DDoS you as happen to me right now

“[ SYN flood ] 104.131.255.17 ( dropletID: 3584777 ) –towards–> 162.218.54.104 [ CNSERVERS - CNSERVERS LLC,US ] 2417 mbps, 333586 packets/second”

why i should attack this Company CNSERVERS LLC why this company is company who offers DDoS support ? why this one why not something else but this company ?

Digital team need to take look deep on this not just stop servers.

Thanks.

Does this really feel professional My server was disconnected at 11:44 and it’s almost 12:44 where i am running a huge news site on your servers and i don’t get a single response to multiple comments that i have dropped on the ticket.

This is really not appealing i will be moving to a different provider soon if this goes on

Thanks, Justaguy, this actually *is* the guide ;-)

I'm a Support Agent of DigitalOcean, and in the past 48 hours we've had to lock a lot of droplets for SYN and UDP floods, and this was the best way i could find to put it up some guide at a public URL that i could continually edit and tweak as more information and feedback came in.

Regards,
Will
Support Agent
DigitalOcean
Previous 1 2 3 4 5 Next