Server sending DDOS attack. Droplet blocked and looking for solutions.

October 29, 2014 4.2k views

Three days ago I received the notification that my droplet would be blocked due to it sending DDOS attacks. The droplet is very small, only running 2 small ghost blogs. I'm still new learning on how to develop and I have past the last days trying to figure out what happened.

Using the function "top" I found that a process called MFXRHBSAU was sucking up 40% of the CPU. I followed the instructions here and deleted the folder that MFXRHBSAU was located. It was in a ghost theme that I recently had installed from github ( and also in the /root folder). Seconds later a new folder appeared in the /root folder and a new process also started showing using the same CPU power and with a just similar random name. Every time I deleted the folder or killed the process a new one showed up.

I searched for tips under the logs to what was happening and saw that for the past week I have been under strong attempts of logins from China each minute or so. Right now I'm without a clue on how to continue investigating the source of the attack. Any help on how to proceed to eliminate this threat would be more than welcome.

Also, I uploaded screenshots of the console with the informations of lsot -i, top and the other attempts that I made trying to find the source:

Thank you very much!

1 comment
  • Sounds like you might do better to just destroy your droplet and start over.

    but it would be really interesting to explore how this happened. Do you have any ideas? Can you give more details about your server:

    • were you using root user for running things?
    • did you have a firewall installed?
    • do you use passwordless logins?

    Any other details ?

2 Answers

First off, I'm seeing one odd this:


run this on your server:

find / -name '%dyttppqtaw%'

Once you find the file (if you do), run this:


Also, your boot looks off. My advice is to review the files on the server (forensics/learning), backup your files -- files you know to be yours, and create a new server/re-image this one.

If it were my server, I wouldn't trust anything that is a binary file. Readable text files would be the only thing I would take (aside from image files). This looks like it was compromised. I cannot say without logging in myself, but that is my educated opinion.

This sure does look like a rootkit.

Have another answer? Share your knowledge.