Community
I have multiple cyberpanel servers that got hacked. Hackers created subdirectories like /library and /apply. These subdirectories are then installed with job websites.
Some servers keep having 100% cpu usage. There is a “kthread” process that keeps using up all CPU resources.
How do I secure my servers now? So many websites have been affected.
You can try this.
I have followed the instructions to clear the malware. However, I still have one server that has a process “kthread” that uses 100% of cpu. How can this process be removed? Killing it kills all the websites.
You should backup and restore somewhere else.
This process seems to be a kernel process take senior advisise or your server admin advise.
Technical support gave reply that server has been hit with cypto malware. It is related to cyberpanel’s recent hacks. They suggest that I move my websites to a new server and destroy the current one.
Can cyberpanel fix this problem? If not I will move my websites to a new server.
The current problem is there are two /opt/.kthread/kthread that kept using up all cpu resources.
I tried this to clear the malware on another server. A few hours later, my server got hit again. I still got two servers with 100% or 300% cpu usage. One is Kthread and the other xmrig process.
I don’t think this script works anymore. The malware keeps coming back eventhough I have updated cyberpanel to latest version.
because Cyberpanel is one big flaw, get another panel and reinstall the server. The malware has already got all available, so only reinstallation.
Yes this script only works with kinsing.
There’s they are releasing updated frequently but as well you can see servers and panels are getting down everytime. The best option is changing your panel. And follow the security measures.
There are more than one malware. Some of my websites have job portal website installed. Some have cypto mining process running in server. Cyberpanel admins should have listed out all the issues.
I hope you tried the kinsing script. And is it working?
If your site is working and you are able to login your wp-admin, then it is better to take backup and create a new server with xcloud host and serveravatar like control panel.
You can use ClamAV and LMD to find and remove virus from your server but it is better to create a new server.
Also, don’t forget to check cronjob, tmp, ssh and root directory while scanning.
Lesson that everybody should learn from this incident — never blindly trust on this type of control panel. Try xcloud host or ServerAvatar type of control panel.
The kinsing script doesn’t work even though it detected malware. I solved the problem by removing the cypto mining malware. This solved the 100% CPU usage problem. Then moved all my websites to another server. Without removing the cypto mining malware, it’s not possible to do anything as the CPU is always at 100%.
Thanks for the advice. xcloud host or ServerAvatar are not freeware. Those can be compared to Cpanel and Plesk. Should compare cyberpanel to freeware panels like webmin+virtualmin or cloudpanel+mailcow, aapanel and etc. I have tried those and coming back to cyberpanel. Hopefully cyberpanel team can make their panel more secure.
You’re right. It is not good to compare a premium service to the freeware control panel.
But first thing, I am not comparing CyberPanel with any other control panel. I am just giving suggestions. Comparison and suggestions are two different thing.
Second thing, I suggested xcloud.host ServerAvatar for those who are looking for a free alternative control panel and these both has free option. You can manage 1 server with 10 websites on xcloudhost without paying anything and live support is awesome.
CyberPanel is also a good panel with good performance. If you want to use it, then you can but is somebody may get better option than what is wrong to suggest them.
Currently, CloudPanel is a good option compared to aapanel, CyberPanel, and others. CyberPanel is too buggy. My 60% clients are switched to the CloudPanel and other are switching to others web based panel.
Note: I am affiliated with any of these software/panel.
I have over 60 servers running CyberPanel/Not a single server or site has been compromised.
The recipe is simple:
I am also there, its good just nginx - its missing vernish otherwise great.
It is open source and so insecure. The whole reason Cyberpanel got hacked was because it is open source so open to nasty evil people who can easily exploit it.
As soon as Hestia get popular, it will also be easily hacked. Open source by nature is insecure and really a terrible model for a control panel facing public.
Incorrect. It’s more secure - the issue with Cyberpanel was the problem was discovered but the Cyberpanel team failed to inform anyone about it before they gave permission for it to be made public - exactly the same issue can (and does) occur in proprietary software but you have the added issue that proprietary software also likely includes malware from the developer themselves which nobody can do anything about because the source code is not available.
This exploit wouldn’t have been discovered if the source wasn’t available to this nasty person looking for fame.
You shouldn’t use Windows and any proprietary software at all because big bad developers are all packing malware lool. That’s just insane way of thinking. Unfortunately, it’s the only defense I hear from OSS fanboys, the funny thing is they say this while literally everything on their PC is proprietary.
Open source is trash, most open source software are trash. This has been a great lesson for me to not use open source for mission critical sites where my money is on the line. The only reason I use Cyberpanel is because it is free but I have moved to Centminmod (nginx) for some other sites.
There is no telling what exploits would or would not have been discovered if it was closed source. It may not have been this one, it may have been another. It doesn’t really matter, if the dev team acted in the same way the result would be the same. The openess of the code however allows outsiders to find exploits and inform the developers who can then fix them - and make sure the fix is applied before going public.
I don’t use Windows or any proprietary software 
Whataboutism - Whataboutism - Wikipedia
I agree about the developers completely messing this up.
Good on you for sticking to your principles but most people don’t. They talk trash about proprietary software while at the same time preferring to use proprietary software - some even using non-legit versions 
It is ok for software being open-source.
After reviewing the bug it was obvious, it totally missed the proper authentication, just a few lines of code could prevented that hack. How that mistake was made in the first place, it basics of programming. If they are making mistakes like that who knows how many other bad code there is, i can’t spare that much time to investigate.
I lost some clients after my Cyberpanel server got hacked, clients don’t care about whose fault it is. My company’s reputation suffered, at least we had backups and managed to restore websites one by one, but it costed a lot of time. I never fully trusted those developers after i learned where they are from. Luckily i used Directadmin for my other clients and it wasn’t affected during this incident.