Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Diagnose the I/O disk from a recovery partition

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
Impavide
Posts: 2
Joined: 2022-01-11 18:27

Diagnose the I/O disk from a recovery partition

#1 Post by Impavide »

Hi,

Since saturday, my Digital Ocean's VPS (debian) is inaccessible in ssh / sftp / http. My website are down.

I didn't do anything but a strange and sudden activity seems explained this issue. I think this changment is the cause.

Image


Tonight I started / stopped my VPS and I noticed that I had a peak every 2 minutes (19:20:00, 19:22:00, 19:24:00...). But I have no active cron (I verified) and reading is continuous when my debian is launched (no read = VPS off).

Image

Also, I have a recovery partition and i can mount my principal partition for debug but how to analyze my issue ? I can reproduce on recovery.

I would like to launch some commands on cron with a file on output, like iotop, but iotop is not installed on my server and apt-get doesn't work. wget for get a tar.gz doesn't work too. I'm a bit lost...

Thanks for your help !

Impavide
Posts: 2
Joined: 2022-01-11 18:27

Re: Diagnose the I/O disk from a recovery partition

#2 Post by Impavide »

Hi, i found xmrig on my server but I didn't installed it, I don't understand. My VPS seems corrupted.
I removed Monero miner service but that doesn't fixed my issue...

steve_v
df -h | grep > 20TiB
df -h | grep > 20TiB
Posts: 1395
Joined: 2012-10-06 05:31
Location: /dev/chair
Has thanked: 78 times
Been thanked: 173 times

Re: Diagnose the I/O disk from a recovery partition

#3 Post by steve_v »

Impavide wrote: 2022-01-20 15:50Hi, i found xmrig on my server but I didn't installed it, I don't understand. My VPS seems corrupted.
s/corrupted/pwned/g
FTFY.

Disk I/O is the least of your problems, the presence of miners and lockout of SSH are obvious indications of a compromised machine. Nuke it from orbit and start again, and this time you might want to think about securing it properly.
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.

Post Reply