Question

My droplet has been compromised and is sending an outgoing Flood or DDoS. What do I do?

Here is some advice for trying to find evidence of virus and trojans on your server causing issues.

Log into your server using the console in our control panel.

The link looks like this:

<strong>https://cloud.digitalocean.com/droplets/<code>XXXXX</code>/console</strong>

where <code>XXXXX</code> is your droplet’s ID.

You’ll need a password for root, so if you don’t have one please contact support for further advice.

On the console once logged in, use one of these commands to try to find a unfamiliar process running:

This command, if installed, shows programs holding open a network socket.

<pre> lsof -i </pre>

This command will show all running processes:

<pre> ps -ef </pre>

adding a pipe to a output paging program may help for long output, example:

<pre> lsof -i | less ps -ef | less </pre>

This command, if you replace <code>XXXX</code> with a Process ID (PID) will show you the path to a executable file that is the origin of a process:

<pre> ls -al /proc/<code>XXXX</code>/exe </pre>

Common places trojans hide are /boot /tmp /run and /root. This command you can list all content, including “dot files”, in /boot

<pre> ls -al /boot </pre>

If you find something you know is foreign, check the ownership of the files for hints on what user privileges were used to instal the code, kill the process, remove the files, and review your log files to try to find out how the code was installed so that you can work on preventing it form happening again.

If you need any advice, send support whatever data you are looking at that you need help with and they will try to point you in the right direction. The best way is to screenshot the console showing the data you are uncertain of, upload to a file sharing service (ex: imgur.com, dropbox.com) and send the URL in the ticket.

Some programs that may also help are:

<ul> <li>rkhunter</li> <li>chkrootkit</li> <li>maldet</li> <li>clamscan</li> </ul>

If you can’t find anything, let support know via a support ticket for advice.

If you have success finding stuff, post your results here to help other people, and if you have suggestions for updates to this please add a comment below!

Regards, Will Support Agent DigitalOcean

Show comments

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Hey Sikora, <br> <br>The most common reason that we see Droplets compromised is as a result of a weak root password. One thing we recommend is making the switch to using SSH keys, which offer far greater security (and the extra benefit of never having to wait for a password e-mail!) <br> <br>If you need any help with setting them up, we have a few guides on using them: <br> <br>https://www.digitalocean.com/community/articles/how-to-set-up-ssh-keys--2 <br>https://www.digitalocean.com/community/articles/how-to-use-ssh-keys-with-putty-on-digitalocean-droplets-windows-users <br> <br>Of course, if you have any specific questions, or get stuck anywhere, we’re happy to help you in a support ticket. <br> <br>We also have a great guide on basic security steps here: https://www.digitalocean.com/community/articles/an-introduction-to-securing-your-linux-vps <br> <br>Cheers, <br>Michael <br>DigitalOcean Support

could you please offer copy-paste function on the web-based console? It’s extremely painful to do inspection on the console without this!

I got hit by this in the last days. The attack seems to use methods similar to the one described here http://struts.apache.org/release/2.3.x/docs/s2-016.html. In short - a Java application that do not sanitize input that is later evaluated as an expression in either OGNL or MVEL scripting engines. Nothing to do with the DigitalOcean security. <br> <br>In my case I had ElasticSearch bound to all network interfaces leaving it open to the world. ElasticSearch allows for scripting in some of its queries so that’s for me the most probable entry point (no proof though). I also had a Jetty server running with a small java application, that’s my second probable point of entry. <br> <br>I’ve set both java processes now to bind only to local interfaces. <br> <br>Some more reading (in chinese, but there are links and code samples) : <br>http://www.m2minfo.com/?p=731 <br>http://bbs.51cto.com/viewthread.php?tid=1091316&page=2