We hope you find this tutorial helpful. In addition to guides like this one, we provide simple cloud infrastructure for developers. Learn more →

Recovering Files from a Compromised Droplet Using the Recovery ISO

Posted Dec 15, 2014 33.8k views DigitalOcean Security MySQL MariaDB


This tutorial explains how to recover files from your Droplet after an attack.

Let's say that someone has gained access to your Droplet and launched an attack. Nobody wants to be in this situation.

But, by using the recovery environment, you can quickly transfer your important files off your compromised droplet. You can either provision a new Droplet, or transfer your files to your local computer.

Step 1 — Backing Up Databases

If you are running a MySQL or MariaDB database server, you will want to create a backup of your databases before entering the recovery environment.

This can be done via the web console, which you can access from your DigitalOcean control panel.

Log into your server, and use the mysqldump utility. mysqldump can be used to create a .sql file containing the contents of your database. You will then be able to import it easily on another server running MySQL or MariaDB.

There is a detailed article on how to export databases using mysqldump here.

As a quick reference, the basic syntax of the command is:

mysqldump -u username -p database_to_backup > backup_name.sql

Step 2 — Requesting the Recovery Environment

Once you have your database backups, you will need to let a DigitalOcean support tech know you require the recovery environment. If your Droplet has been locked, you should already have a support ticket open on your account which you can update with this request.

Step 3 - Mounting your filesystem

Once your droplet has been booted to the recovery environment you can connect to it via the web console in the control panel. When you do you will be presented with a menu screen like the following one:

To get started you will need to mount your filesystem by entering 1 and then pressing Enter. You will be returned to the menu and if the mount was successful the device name will now be displayed.

Step 4 - Enabling Networking

Since networking is not enabled by default in the recovery environment we now need to enable the network interface. Select 2 and press Enter to continue.

If your droplet is in a region which supports droplet meta-data your network will be automatically enabled.

In regions that do not yet support meta-data you will now be prompted to enter the network information displayed below the console window. Enter the IP Address, Gateway, and Netmask as they are shown.

After you enter these details the recovery environment will configure your network interface, set up DNS, and check that the network is now up and running. If everything goes well you will be returned to the menu.

Step 5 - Starting an SSH Server

Now that we have our filesystem mounted and our droplet can talk to the Internet we just need to enable a service to allow us to access our files. The recovery environment can configure and enable an SSH/SFTP server on your droplet to allow you access. To enable the SSH server you will need to select 4 from the menu and press Enter.

When selecting this option the ssh server components will be automatically downloaded and installed and you will be shown a temporary password and connection details you can use to reach the recovery environment's ssh/sftp service.

Step 6 - Connecting via SFTP

Now that the SSH service has been enabled it can be reached using an SSH or SFTP client. Using the SFTP client Filezilla you can create a new connection with the following details substituting your droplet's IP address and the temporary password you created with the values shown:

Host: your_droplets_IP
Port: 22
Protocol: SFTP - SSH File Transfer Protocol
Login Type: Normal
User: root

When you connect you will start out in the directory /root and your droplet's filesystem will be located in /mnt

More information about using Filezilla can be found here.

Next Steps

Now that you have recovered your files and database it is important to ensure that your new Droplet is secure. The following tutorial will walk you through some recommended first steps:

We also have many other security related articles and tutorials that you can find here, many of which relate to specific software and services:


Creative Commons License