[00:21] <wrst> Ubik: how so?
[00:21]  * wrst has been using DO some
[01:06] <Ubik> wrst: Well, friend of mine has a droplet there, running 2 websites (I set it up for him on his own account since he had GoDaddy and that was a hot garbage mess.) It's worked beautifully for 2 years now.
[01:07] <Ubik> He pays the bill every month, it all just works(TM). Yesterday, he gets an E-Mail about a support ticket being opened, that says his server is on Spamhaus. Claims it has some kind of botnet controller running on it.
[01:08] <Ubik> So he goes to login to WordPress and his site won't load. At all. He forwards me the information, and buried in the ticket I find that they say they have disabled his network interface blah blah...
[01:08] <Ubik> and that he needs to follow Spamhaus' recommended steps (change your passwords, update your software, update your OS, etc.) and then let them know what the cause of the issue was, how they got in, how you fixed it, and how you'll prevent it from happening again.
[01:08] <Ubik> (before you can get your network access back)
[01:09] <Ubik> how does one run a system update without Internet access? (all you have is console access via a browser)....
[01:09] <Ubik> Oh, and they rebooted his box, so whatever was running on port 8080 was gone... nothing malicous found on there. Chances are it wasn't an infection of the site but just some malware process running that they killed when they rebooted it (which also zapped /tmp) so finding out what/how they got in is pretty much impossible.
[01:10] <Ubik> Long story short, he uses an insanely low TTL, so I just powered the thing off, did a snapshot, deployed a new box from the snapshot, that one had network access, updated everything (software/OS/etc) and then updated his DNS records to the new IP... deleted old server. That ticket is still sitting out there. :P
[01:11] <Ubik> I get it if they had reached out to him and said hey your box is up to <x> please fix it, he could have had me login and check... but to disconnect it from the Internet, reboot it, and insist that it be updated and a forensic investigation into what happened be done...
[13:04] <ZachGibbens> Any chance there was an issue? Did you check wtmp or nginx logs?
[13:04] <ZachGibbens> Clamav on the image?
[13:05] <ZachGibbens> I mean still not the most ideal way to have handled it but I ask so it doesn't repeat either.
[16:55] <Ubik> ZachGibbens: No issues found. I suspicion, honestly, that it was a process running in /tmp that got in through one of his WordPress installs. The WP installs themselves were not tampered with. And since they rebooted the instance for whatever reason, they destroyed the evidence.