My droplet was compromised and Digital Ocean team shutdown my network interface. Now they email me that <^>Hello there,
I have set your boot device to our Recovery Environment where you will be able to mount your file system (content will appear under /mnt/ ), enable networking, and connect via SSH/SFTP to migrate your backup files to your local machine or a new Droplet.
There are a few steps involved in this process and we’ve listed them in this guide: https://www.digitalocean.com/community/tutorials/recovering-files-from-a-compromised-droplet-using-the-recovery-iso
Please get back to us when you are finished.
Regards,
Trust & Safety DigitalOcean<^>
But I am getting this error on Step 2 : http://i.imgur.com/U1QxnFW.png
What can i do now ? I need sftp access to delete the compromised files. Its been 45 hours and my droplet is still shutdown.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Have you tried force stopping the droplet and turn it back on again? Make sure next time to protect your droplet from malicious people, probably longer it’s down the better. You should read this before you start a new droplet once you’ve gotten access and recovered your files https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-two-factor-authentication https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps
Also may I strongly suggest that once you’ve recovered those files you try and check for any back doors that might be hidden in those files since they’re pretty easy to spread.
Heya,
Since you’re already in the Recovery Environment, your filesystem should be mounted under /mnt.
You need to enable networking in the Recovery Environment manually, as outlined in the DigitalOcean Recovery Guide.
You can use the following steps to configure the network:
Run the following command to see available network interfaces:
ip link show
Typically, your network interface will be named something like eth0 or enp3s0.
Create a network configuration file for your interface in the recovery environment. Here’s how to set it up:
sudo nano /etc/network/interfaces
Add the following lines (replace eth0 with the actual name of your interface if it’s different):
auto eth0 iface eth0 inet dhcp
Save and close the file.
Now bring up the interface by running:
sudo ifup eth0
Run the following to check if you have internet connectivity:
ping google.com
If you can ping external servers, your network is working. Now that your network interface is working, you should be able to connect to your droplet using SFTP or SSH.
If you need to remove compromised files, navigate to /mnt/ where your filesystem is mounted. You can use SSH/SFTP to manually delete the files or back them up to your local machine.
Hope that this helps!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.