Here is some advice for trying to find evidence of virus and trojans on your server causing issues.
Log into your server using the console in our control panel.
The link looks like this:
is your droplet's ID.
You'll need a password for root, so if you don't have one please contact support for further advice.
On the console once logged in, use one of these commands to try to find a unfamiliar process running:
This command, if installed, shows programs holding open a network socket.
This command will show all running processes:
adding a pipe to a output paging program may help for long output, example:
lsof -i | less
ps -ef | less
This command, if you replace
with a Process ID (PID) will show you the path to a executable file that is the origin of a process:
ls -al /proc/
Common places trojans hide are /boot /tmp /run and /root. This command you can list all content, including "dot files", in /boot
ls -al /boot
If you find something you know is foreign, check the ownership of the files for hints on what user privileges were used to instal the code, kill the process, remove the files, and review your log files to try to find out how the code was installed so that you can work on preventing it form happening again.
If you need any advice, send support whatever data you are looking at that you need help with and they will try to point you in the right direction. The best way is to screenshot the console showing the data you are uncertain of, upload to a file sharing service (ex: imgur.com, dropbox.com) and send the URL in the ticket.
Some programs that may also help are:
If you can't find anything, let support know via a support ticket for advice.
If you have success finding stuff, post your results here to help other people, and if you have suggestions for updates to this please add a comment below!