Question

Server sending DDOS attack. Droplet blocked and looking for solutions.

Three days ago I received the notification that my droplet would be blocked due to it sending DDOS attacks. The droplet is very small, only running 2 small ghost blogs. I’m still new learning on how to develop and I have past the last days trying to figure out what happened.

Using the function “top” I found that a process called MFXRHBSAU was sucking up 40% of the CPU. I followed the instructions here https://www.digitalocean.com/community/questions/my-droplet-has-been-compromised-and-is-sending-an-outgoing-flood-or-ddos-what-do-i-do and deleted the folder that MFXRHBSAU was located. It was in a ghost theme that I recently had installed from github (https://github.com/haydenbleasel/ghost-themes/tree/vignette) and also in the /root folder). Seconds later a new folder appeared in the /root folder and a new process also started showing using the same CPU power and with a just similar random name. Every time I deleted the folder or killed the process a new one showed up.

I searched for tips under the logs to what was happening and saw that for the past week I have been under strong attempts of logins from China each minute or so. Right now I’m without a clue on how to continue investigating the source of the attack. Any help on how to proceed to eliminate this threat would be more than welcome.

Also, I uploaded screenshots of the console with the informations of lsot -i, top and the other attempts that I made trying to find the source: https://www.dropbox.com/sh/rtij3s1mbirgcoz/AACghblFOzvALeQ2yB2PWe72a?dl=0

Thank you very much!

Show comments

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

This sure does look like a rootkit.

First off, I’m seeing one odd this:

dyttppqtaw

run this on your server:

find / -name '%dyttppqtaw%'

Once you find the file (if you do), run this:

file [PATH_TO_FILE]

Also, your boot looks off. My advice is to review the files on the server (forensics/learning), backup your files – files you know to be yours, and create a new server/re-image this one.

If it were my server, I wouldn’t trust anything that is a binary file. Readable text files would be the only thing I would take (aside from image files). This looks like it was compromised. I cannot say without logging in myself, but that is my educated opinion.