I created a droplet (OpenVPN 2.8.5 from the marketplace) and after just 2 days I received a message from DigitalOcean that my droplet has been under Bruteforce attack. Surely enough the root password was changed and I had to reset it from the control panel to be able to log in again. After logging in again I see there are suspicious network activity going on to some IP addresses from Japan and other countries. I could not trace down the process ID of these network activities… they all show up as ? in the NetHogs output.
What can/should I do? and if I delete this droplet and create a new one hot to prevent the same scenario from happening again?
NetHogs version 0.8.5-2 PID USER PROGRAM DEV SENT RECEIVED 2100 root sshd: root@pts/1 eth0 0.627 0.087 KB/sec ? root 188.8.131.52:1433-184.108.40.206:50204 0.011 0.022 KB/sec ? root 220.127.116.11:3389-18.104.22.168:54203 0.011 0.022 KB/sec ? root 22.214.171.124:9201-126.96.36.199:42091 0.011 0.011 KB/sec ? root 188.8.131.52:445-184.108.40.206:62540 0.000 0.000 KB/sec ? root 220.127.116.11:13197-18.104.22.168:42052 0.000 0.000 KB/sec ? root 22.214.171.124:23-126.96.36.199:44234 0.000 0.000 KB/sec ? root 188.8.131.52:15448-184.108.40.206:44988 0.000 0.000 KB/sec ? root unknown TCP 0.000 0.000 KB/sec TOTAL 0.659 0.143 KB/sec
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.