I'm facing a serious security issue with my servers. I recently found that two of my DigitalOcean droplets were flagged for sending DDoS traffic, indicating that they were compromised and likely used in a botnet attack. Despite having hardened SSH with key authentication and disabling password and root logins, an investigation revealed malware running as root from the /dev directory that kept respawning. It also detected processes checking for cryptomining signatures, suggesting an infection with a mining botnet.
I suspect the breach occurred through my Node/Next.js server that was exposed on port 3000, rather than through SSH. I'm considering backing up my data, destroying the droplet, and rebuilding it with tighter security measures like using a non-root user and restricting access to only necessary ports. If anyone has encountered this type of attack or has advice on preventing it in the future, your insights would be greatly appreciated.
3 Answers
It sounds like you might be dealing with a vulnerability known as React2Shell! If your application wasn't running in an OCI container, that could be a big issue. It's crucial to use properly patched versions of Next.js and consider containerization for added security. This won't entirely protect you from React2Shell, but it can help limit potential damage.
Seriously, avoiding common mistakes is key. Also, don’t leave port 22 open to the world. If you have to, change your SSH port to something non-standard, but be cautious because that can be risky too. The focus should be on patching your application vulnerabilities first, as backing up could unintentionally save the malware along with your data.
I think that's not a great approach. Security through obscurity just doesn't work. Moving SSH to a different port won't solve the core problem. It was definitely not just an SSH breach.
Make sure to back up your data, but keep it offline and don't revert to it. Use that backup to investigate when the malware started. Also, block all unnecessary outbound ports. Be prepared to lose some data to get things clean again. It’s vital to assess how the exposure occurred first before restoring anything.
Yeah, that was my initial thought too!