My Droplet sending Brute Force attact?

Posted April 19, 2014 3.5k views
Dear guys, I have a droplet which I use as an email server. Applications that I installed there are: 1. iRedmail, 2. Phplist, 3. MySql, 4. Apache httpd I had been using it for 3 months already, and suddenly I got a ticket from digitalocean support which shows that my droplet has been performing brute force attack against another server's SSH ... My questions: 1. How can I find out that my server does this things? 2. How can I clean my server that might already invested by a BOTNET? Thanks in advance, Bromo

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
2 answers
Hello Bromo,

Which OS are you on?

More than likely someone used a exploit on your server.

- Alex
The first place I'd look is /var/log/auth.log to see if someone else is logging on to the droplet.

I'd also encourage you to install rkhunter as well.