By bromokun
Dear guys,
I have a droplet which I use as an email server. Applications that I installed there are:
- iRedmail,
- Phplist,
- MySql,
- Apache httpd
I had been using it for 3 months already, and suddenly I got a ticket from digitalocean support which shows that my droplet has been performing brute force attack against another server’s SSH …
My questions:
- How can I find out that my server does this things?
- How can I clean my server that might already invested by a BOTNET?
Thanks in advance, Bromo
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hello Bromo, <br> <br>Which OS are you on? <br> <br>More than likely someone used a exploit on your server. <br> <br>- Alex
The first place I’d look is /var/log/auth.log to see if someone else is logging on to the droplet. <br> <br>I’d also encourage you to install rkhunter as well.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.