Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
WordPRess Files Removed Now What To Do? Question Question
cpu from 13% to 100% in one minute Question Question

Question

My Droplet is compromised and Network Interface disabled

Posted August 25, 2017 3.9k views
WordPressDigitalOceanNetworkingDNSControl PanelsUbuntu 16.04

My droplet was compromised and Digital Ocean team shutdown my network interface. Now they email me that
<^>Hello there,

I have set your boot device to our Recovery Environment where you will be able to mount your file system (content will appear under /mnt/ ), enable networking, and connect via SSH/SFTP to migrate your backup files to your local machine or a new Droplet.

There are a few steps involved in this process and we’ve listed them in this guide: https://www.digitalocean.com/community/tutorials/recovering-files-from-a-compromised-droplet-using-the-recovery-iso

Please get back to us when you are finished.

Regards,

Trust & Safety
DigitalOcean<^>

But I am getting this error on Step 2 : http://i.imgur.com/U1QxnFW.png

What can i do now ? I need sftp access to delete the compromised files. Its been 45 hours and my droplet is still shutdown.

Add a comment
almobilecover
By:
almobilecover

Related

Join the DigitalOcean Community Community

Join 1M+ other developers and:

  • Get help and share knowledge in Q&A
  • Subscribe to topics of interest
  • Get courses & tools that help you grow as a developer or small business owner
 Join Now
WordPRess Files Removed Now What To Do? Question Question
cpu from 13% to 100% in one minute Question Question

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer
Aprexer August 25, 2017

Have you tried force stopping the droplet and turn it back on again?
Make sure next time to protect your droplet from malicious people, probably longer it’s down the better.
You should read this before you start a new droplet once you’ve gotten access and recovered your files https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-two-factor-authentication
https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps

Also may I strongly suggest that once you’ve recovered those files you try and check for any back doors that might be hidden in those files since they’re pretty easy to spread.

How To Protect SSH With Two-Factor Authentication
by Tim Kornhuber
To protect your SSH server with an two-factor authentication, you can use the Google Authenticator PAM module. Read this tutorial to expand your knowledge on the subject.
Reply Report
  • almobilecover August 25, 2017

    Thanks for answer, how to force stop droplet ?

    Reply Report
    • Aprexer August 25, 2017

      There should be a slider button on the droplet information page.

      Reply Report
      • almobilecover August 25, 2017

        i did it, poweroff the droplet then ON but still the same error: http://i.imgur.com/U1QxnFW.png

        Its been 48 hours and no one is solving my issue. This is the level of DO support ? No one compromized or hack his own server but the response of digital ocean is pathetic. This is why i pay monthly so when i need support no one responce and just shutdown my droplet and websites without having any backups

        Reply Report
        • iteagle03 August 25, 2017

          Back-ups are the owner’s responsibility. You can ask DO to perform back-ups for a price (% of your monthly service fee).

          Reply Report
          • almobilecover August 25, 2017

            I know but its been 48 hours and no one is solving my issue … this is what “The Best Server Provider” do with their customers ???? To shutdown their websites and not responding.

            Reply Report
          • Aprexer August 25, 2017

            In reply to almobilecover
            Your droplet alerted digitalocean that it is compromised.
            I’ll say it again, it’s your responsibility to secure your server to avoid stuff like this happening.
            There’s allot of tickets that need to dealt with, if everyone wants a proper response then it’s best you are patient.
            You will not be charged in the mean time.
            They didn’t shut down your site, they shut down your server for your safety and theirs as a company.

            Reply Report
    • myanmarwebsolut April 28, 2019

      I had the same issue, I am very unhappy with the support.

      If they want to disable my droplets , I am fine with it. All i need is enable networking for a while to download my data.

      Very unhappy with the result, it took very long time more than 48 hrs and clients are now complaining. We now have no choice but to migrate to other service providers.

      I had been a loyal customer with more than ten droplets,I also did enourage other developers to use DO but their support is terrible.

      Bad experience.

      Reply Report

Related

Looking for something else?

Ask a new question Search for more help