Recovering Files from a Compromised Droplet Using the Recovery ISO
This tutorial explains how to recover files from your Droplet after an attack.
Let's say that someone has gained access to your Droplet and launched an attack. Nobody wants to be in this situation.
But, by using the recovery environment, you can quickly transfer your important files off your compromised droplet. You can either provision a new Droplet, or transfer your files to your local computer.
Step 1 — Backing Up Databases
If you are running a MySQL or MariaDB database server, you will want to create a backup of your databases before entering the recovery environment.
This can be done via the web console, which you can access from your DigitalOcean control panel.
Log into your server, and use the
mysqldump can be used to create a
.sql file containing the contents of your database. You will then be able to import it easily on another server running MySQL or MariaDB.
There is a detailed article on how to export databases using
As a quick reference, the basic syntax of the command is:
mysqldump -u username -p database_to_backup > backup_name.sql
Step 2 — Requesting the Recovery Environment
Once you have your database backups, you will need to let a DigitalOcean support tech know you require the recovery environment. If your Droplet has been locked, you should already have a support ticket open on your account which you can update with this request.
Step 3 - Mounting your filesystem
Once your droplet has been booted to the recovery environment you can connect to it via the web console in the control panel. When you do you will be presented with a menu screen like the following one:
To get started you will need to mount your filesystem by entering
1 and then pressing
Enter. You will be returned to the menu and if the mount was successful the device name will now be displayed.
Step 4 - Enabling Networking
Since networking is not enabled by default in the recovery environment we now need to enable the network interface. Select
2 and press
Enter to continue.
If your droplet is in a region which supports droplet meta-data your network will be automatically enabled.
In regions that do not yet support meta-data you will now be prompted to enter the network information displayed below the console window. Enter the
Netmask as they are shown.
After you enter these details the recovery environment will configure your network interface, set up DNS, and check that the network is now up and running. If everything goes well you will be returned to the menu.
Step 5 - Starting an SSH Server
Now that we have our filesystem mounted and our droplet can talk to the Internet we just need to enable a service to allow us to access our files. The recovery environment can configure and enable an SSH/SFTP server on your droplet to allow you access. To enable the SSH server you will need to select
4 from the menu and press
When selecting this option the ssh server components will be automatically downloaded and installed and you will be shown a temporary password and connection details you can use to reach the recovery environment's ssh/sftp service.
Step 6 - Connecting via SFTP
Now that the SSH service has been enabled it can be reached using an SSH or SFTP client. Using the SFTP client Filezilla you can create a new connection with the following details substituting your droplet's IP address and the temporary password you created with the values shown:
Host: your_droplets_IP Port: 22 Protocol: SFTP - SSH File Transfer Protocol Login Type: Normal User: root Password: TEMPORARY_PASSWORD
When you connect you will start out in the directory
/root and your droplet's filesystem will be located in
More information about using Filezilla can be found here.
Now that you have recovered your files and database it is important to ensure that your new Droplet is secure. The following tutorial will walk you through some recommended first steps:
We also have many other security related articles and tutorials that you can find here, many of which relate to specific software and services: