Identification of potential unknown MITM / Malware that involves SSL connections

On my server, one of the services is a Discord bot. It was below that led me to investigate why.

In my syslogs I noticed three increasingly worrying elements:

do-agent(1066): 2019/08/25 08:50:21 
Sending metrics to DigitalOcean: Post https://sfo2.sonar.digitalocean.com/v1/metrics/droplet_id: 
x509: certificate is valid for *.com.com, com.com, not sfo2.sonar.digitalocean.com

discord-botd(26673): 2019/08/25 09:03:50
(DG0) wsapi.go:827:reconnect() error reconnecting to gateway, Get https://discordapp.com/api/v6/gateway: 
x509: certificate is valid for *.com.com, com.com, 
not discordapp.com

discord-botd(26673): 2019/08/25 09:04:59
(DG0) wsapi.go:827:reconnect() error reconnecting to gateway, 
x509: certificate is valid for www.chinanetcenter.com, oir.6rooms.com, upload.v.6.cn, pic.v.6.cn, uploadmp3.v.6.cn, *.1z123.com, ulink.6.cn, 
passport.6.cn, shrek.6.cn, www.huanpeng.com, img.huanpeng.com, mlog.chinanetcenter.com, mauth.chinanetcenter.com, i.g-fox.cn, s1.chunboimg.com, s2.chunboimg.com, s3.chunboimg.com, sstatic.chunboimg.com, s0.chunboimg.com, app.showcai.com.cn, auth.microfun.cn, ss.sysad.cn, ss.sysair.cn, sso.kongzhong.com, stc2.kongzhong.com, passport.kongzhong.com, auth-live.kongzhong.com, api.kongzhong.com, i.zhulang.com, m.zhulang.com, s.zhulang.com, app5.zhulang.com, www.cmyynet.com, start.crestdrop.net, load.ginamind.com, fast.sireech.com, play.homesava.net, 
qfcnc.calaprilia.net, mobcdn.znoopbag.net, start88.trackeast.com, play88.trackeast.net, amengsk.haitangbase.net, *.1zhe.com, res.samsungshop.com.cn, mobcdn.clerkin.net, h5cont.trueleffy.net, marsara.nidajudo.com, *.app.meitudata.com, *.meitu.com, *.meipai.com, *.meitubase.com, *.img4399.com, *.converse.com.cn, apk-ssl.tancdn.com, m.wywna.cn, media-qtil.licdn.com, media-exp1.licdn.com, media-exp2.licdn.com, media-exp3.licdn.com, media.licdn.com, platform-qtil.linkedin.com, platform.linkedin.com, static-qtil.licdn.com, static-exp1.licdn.com, static-exp2.licdn.com, static-exp3.licdn.com, static.licdn.com, m.staff.tcl.com, *.ourdvsss.com, cdn.zj96596.com, addons.cdn.mozilla.net, *.tcl.com, *.mall.tcl.com, www.17un.com, m.li0gx.cn, korhal8.clerkin.net, start88.nidajudo.com, usercenter-stage.ewfresh.com, pay-stage.ewfresh.com, mall-stage.ewfresh.com, order-stage.ewfresh.com, settle-stage.ewfresh.com, m.leinue.cn, m.aonanp.cn, m.nbuic.cn, m.xrhen.cn, m.zosue.cn, m.bustz.cn, m.yuwxe.cn, m.bxuwg.cn, m.ykdsbsc.cn, m.rushour.cn, m.nlpzzd.cn, *.xunsd.cn, m.mmgdfr.cn, m.kigoxhz.cn, m.xxqysj.cn, m.mmzdjq.cn, m.ybwbmk.cn, *.zhangyixun.cn, m.i2d1kc.cn, m.hr00.cn, m.ubmhu.cn, fsdext.fshares.com, fscant.fshares.com, www.fshares.io, fscan.fshares.io, fsdex.fshares.io, manage.fsdex.fshares.io, api.fshares.io, dex.api.fshares.io, manage.dex.api.fshares.io, chain.api.fshares.io, manage.chain.api.fshares.io, jpa.api.fshares.io, jpa.node.fshares.io, hka.api.fshares.io, hka.node.fshares.io, fs.fshares.io, guide.fshares.io, browser.api.fshares.io, wallet.api.fshares.io, wss.api.fshares.io, wss.dex.api.fshares.io, back.dex.api.fshares.io, back.chain.api.fshares.io, gate.dex.api.fshares.io, *.sg2046.cn, 
not gateway.discord.gg

After a restart, this disappeared.

openssl s_client -showcerts -connect It showed nothing unusual (although I wish I had done this before restarting).

Some background:

  • The server is an updated Fedora 28 server.
  • The non-default services I run are:
    • a web server based on Golang (HTTP REST API)
    • a Golang-based Discord bot
    • Digital Ocean Statistics Agent
  • SSH has no password and the firewall is restricted to certain IP addresses.

I have not encountered this before nor can I find similar results on Google.

Is it possible to identify how this happened or if it is cause for concern?

Should I bomb the server?

Thank you!