IWETHEY v. 0.3.0 | TODO
1,095 registered users | 2 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New Start with the web server logs
That should give an idea of how the service was compromised. It will narrow the search parameters as to finding what was used. Looking for a cluster of 4xx responses may help as most compromises scan the server for vulnerabilities before striking.

If there's nothing in the web server log, or there are pieces missing, then you have a much bigger problem as that would indicate some type of privilege escalation beyond the web server.

Penetration testing tools like OpenVAS can be used to check for known holes, but as Digital Ocean has already made changes, that may no be very helpful at this stage. OpenVAS is a competent free tool, but can be a bear to get running from scratch. Some Linux distributions include it. (Kali Linux does. This is a specialist pen testing live disc distro.)
New thanks for the tip downloaded kali linux
"Science is the belief in the ignorance of the experts" – Richard Feynman
     How do I research a hack tool? - (drook) - (9)
         Dunno. Contact your computing appliance vendor? - (Another Scott) - (1)
             Yeah, Dreamhost noticed it about 5 hours before I did - (drook)
         bunch of them out there, also try sans.org thought I saw an article on last mailing -NT - (boxley)
         Start with the web server logs - (scoenye) - (1)
             thanks for the tip downloaded kali linux -NT - (boxley)
         And now a cron exploit? - (drook) - (3)
             Review at jobs as well -NT - (crazy)
             Other account's crontab? - (scoenye) - (1)
                 also note /etc/cron.daily cron.weekly cron.motnly and cron.hourly -NT - (boxley)

Trust me...
53 ms