Three days ago I received the notification that my droplet would be blocked due to it sending DDOS attacks. The droplet is very small, only running 2 small ghost blogs. I’m still new learning on how to develop and I have past the last days trying to figure out what happened.
Using the function “top” I found that a process called MFXRHBSAU was sucking up 40% of the CPU. I followed the instructions here https://www.digitalocean.com/community/questions/my-droplet-has-been-compromised-and-is-sending-an-outgoing-flood-or-ddos-what-do-i-do and deleted the folder that MFXRHBSAU was located. It was in a ghost theme that I recently had installed from github (https://github.com/haydenbleasel/ghost-themes/tree/vignette) and also in the /root folder). Seconds later a new folder appeared in the /root folder and a new process also started showing using the same CPU power and with a just similar random name. Every time I deleted the folder or killed the process a new one showed up.
I searched for tips under the logs to what was happening and saw that for the past week I have been under strong attempts of logins from China each minute or so. Right now I’m without a clue on how to continue investigating the source of the attack. Any help on how to proceed to eliminate this threat would be more than welcome.
Also, I uploaded screenshots of the console with the informations of lsot -i, top and the other attempts that I made trying to find the source: https://www.dropbox.com/sh/rtij3s1mbirgcoz/AACghblFOzvALeQ2yB2PWe72a?dl=0
Thank you very much!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.