Question

My Droplet sending Brute Force attact?

  • Posted April 19, 2014

Dear guys,

I have a droplet which I use as an email server. Applications that I installed there are:

  1. iRedmail,
  2. Phplist,
  3. MySql,
  4. Apache httpd

I had been using it for 3 months already, and suddenly I got a ticket from digitalocean support which shows that my droplet has been performing brute force attack against another server’s SSH …

My questions:

  1. How can I find out that my server does this things?
  2. How can I clean my server that might already invested by a BOTNET?

Thanks in advance, Bromo

Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

The first place I’d look is /var/log/auth.log to see if someone else is logging on to the droplet. <br> <br>I’d also encourage you to install rkhunter as well.

Hello Bromo, <br> <br>Which OS are you on? <br> <br>More than likely someone used a exploit on your server. <br> <br>- Alex