My Droplet is compromised and Network Interface disabled

August 25, 2017 484 views
DigitalOcean Networking Control Panels WordPress DNS Ubuntu 16.04

My droplet was compromised and Digital Ocean team shutdown my network interface. Now they email me that
<^>Hello there,

I have set your boot device to our Recovery Environment where you will be able to mount your file system (content will appear under /mnt/ ), enable networking, and connect via SSH/SFTP to migrate your backup files to your local machine or a new Droplet.

There are a few steps involved in this process and we've listed them in this guide: https://www.digitalocean.com/community/tutorials/recovering-files-from-a-compromised-droplet-using-the-recovery-iso

Please get back to us when you are finished.

Regards,

Trust & Safety
DigitalOcean<^>

But I am getting this error on Step 2 : http://i.imgur.com/U1QxnFW.png

What can i do now ? I need sftp access to delete the compromised files. Its been 45 hours and my droplet is still shutdown.

1 Answer

Have you tried force stopping the droplet and turn it back on again?
Make sure next time to protect your droplet from malicious people, probably longer it's down the better.
You should read this before you start a new droplet once you've gotten access and recovered your files https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-two-factor-authentication
https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps

Also may I strongly suggest that once you've recovered those files you try and check for any back doors that might be hidden in those files since they're pretty easy to spread.

by Tim Kornhuber
To protect your SSH server with an two-factor authentication, you can use the Google Authenticator PAM module. Read this tutorial to expand your knowledge on the subject.
  • Thanks for answer, how to force stop droplet ?

    • There should be a slider button on the droplet information page.

      • i did it, poweroff the droplet then ON but still the same error: http://i.imgur.com/U1QxnFW.png

        Its been 48 hours and no one is solving my issue. This is the level of DO support ? No one compromized or hack his own server but the response of digital ocean is pathetic. This is why i pay monthly so when i need support no one responce and just shutdown my droplet and websites without having any backups

        • Back-ups are the owner's responsibility. You can ask DO to perform back-ups for a price (% of your monthly service fee).

          • I know but its been 48 hours and no one is solving my issue ... this is what "The Best Server Provider" do with their customers ???? To shutdown their websites and not responding.

          • In reply to almobilecover
            Your droplet alerted digitalocean that it is compromised.
            I'll say it again, it's your responsibility to secure your server to avoid stuff like this happening.
            There's allot of tickets that need to dealt with, if everyone wants a proper response then it's best you are patient.
            You will not be charged in the mean time.
            They didn't shut down your site, they shut down your server for your safety and theirs as a company.

Have another answer? Share your knowledge.