B
B
Bogdan Pasechnik2015-09-08 10:04:28
Burglary protection
Bogdan Pasechnik, 2015-09-08 10:04:28

How was the digitalocean site hacked?

Database files, website files, etc. were encrypted. In each folder where the files were encrypted, there is a txt document README.txt. With content like this
---
Your personal files are encrypted! Encryption was produced using a unique public key RSA-2048 generated for this computer.
To decrypt files you need to obtain the private key.
The single copy of the private key, which will allow to decrypt the files, located on a secret server on the Internet. After that, nobody and never will be able to restore files...
To obtain the private key for this computer, which will automatically decrypt files, you need to pay 4.6 bitcoins (~1000 USD).
Without a key, you will never be able to get your original files back.
______________________________________________
!!!!!!!!!!!!!!!!!!!!! PURSE FOR PAYMNET: 13JqaSsVg2tVBpbbvbwgF2jzdK5Sn2rQ68 !!!!!!!!!!!!!!!!!!!!
After you made payment, you should send email to [email protected] - which must contains you're BTC wallet.
After this, our system will automatically check payment and send to your email private key for decryption.
If you have any questions about payment, you can also send to [email protected]!
---
I configured the server on digitalocean on my own. For which he paid. I understand that the files cannot be restored. But I would like to avoid this in the future. That's why the question.
In what way was the hack most likely carried out? I want to at least somehow protect myself from such situations on the new server. If the root password was stolen due to a virus on my computer, this is one thing. And if the hack was due to a clumsy server setup, this is a completely different question.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
C
chupasaurus, 2015-09-08
@chupasaurus

Once you have the opportunity to log in, check the access to the ssh server logs and the contents.
In general, the scheme is simple: shodan.hq → RCE with uid 0 in the engine → result.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question