My Droplet sending Brute Force attact?

April 19, 2014 3k views
Dear guys, I have a droplet which I use as an email server. Applications that I installed there are: 1. iRedmail, 2. Phplist, 3. MySql, 4. Apache httpd I had been using it for 3 months already, and suddenly I got a ticket from digitalocean support which shows that my droplet has been performing brute force attack against another server's SSH ... My questions: 1. How can I find out that my server does this things? 2. How can I clean my server that might already invested by a BOTNET? Thanks in advance, Bromo
2 Answers
Hello Bromo,

Which OS are you on?

More than likely someone used a exploit on your server.

- Alex
The first place I'd look is /var/log/auth.log to see if someone else is logging on to the droplet.

I'd also encourage you to install rkhunter as well.
Have another answer? Share your knowledge.