Suspicious network activity after brute force login attack
I created a droplet (OpenVPN 2.8.5 from the marketplace) and after just 2 days I received a message from DigitalOcean that my droplet has been under Bruteforce attack. Surely enough the root password was changed and I had to reset it from the control panel to be able to log in again. After logging in again I see there are suspicious network activity going on to some IP addresses from Japan and other countries. I could not trace down the process ID of these network activities.... they all show up as ? in the NetHogs output.
What can/should I do? and if I delete this droplet and create a new one hot to prevent the same scenario from happening again?
NetHogs version 0.8.5-2 PID USER PROGRAM DEV SENT RECEIVED 2100 root sshd: root@pts/1 eth0 0.627 0.087 KB/sec ? root 126.96.36.199:1433-188.8.131.52:50204 0.011 0.022 KB/sec ? root 184.108.40.206:3389-220.127.116.11:54203 0.011 0.022 KB/sec ? root 18.104.22.168:9201-22.214.171.124:42091 0.011 0.011 KB/sec ? root 126.96.36.199:445-188.8.131.52:62540 0.000 0.000 KB/sec ? root 184.108.40.206:13197-220.127.116.11:42052 0.000 0.000 KB/sec ? root 18.104.22.168:23-22.214.171.124:44234 0.000 0.000 KB/sec ? root 126.96.36.199:15448-188.8.131.52:44988 0.000 0.000 KB/sec ? root unknown TCP 0.000 0.000 KB/sec TOTAL 0.659 0.143 KB/sec
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.×