Three days ago I received the notification that my droplet would be blocked due to it sending DDOS attacks. The droplet is very small, only running 2 small ghost blogs. I’m still new learning on how to develop and I have past the last days trying to figure out what happened.
Using the function “top” I found that a process called MFXRHBSAU was sucking up 40% of the CPU. I followed the instructions here https://www.digitalocean.com/community/questions/my-droplet-has-been-compromised-and-is-sending-an-outgoing-flood-or-ddos-what-do-i-do and deleted the folder that MFXRHBSAU was located. It was in a ghost theme that I recently had installed from github (https://github.com/haydenbleasel/ghost-themes/tree/vignette) and also in the /root folder). Seconds later a new folder appeared in the /root folder and a new process also started showing using the same CPU power and with a just similar random name. Every time I deleted the folder or killed the process a new one showed up.
I searched for tips under the logs to what was happening and saw that for the past week I have been under strong attempts of logins from China each minute or so. Right now I’m without a clue on how to continue investigating the source of the attack. Any help on how to proceed to eliminate this threat would be more than welcome.
Also, I uploaded screenshots of the console with the informations of lsot -i, top and the other attempts that I made trying to find the source: https://www.dropbox.com/sh/rtij3s1mbirgcoz/AACghblFOzvALeQ2yB2PWe72a?dl=0
Thank you very much!
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.
Click below to sign up and get $200 of credit to try our products over 60 days!