Hi,
Recently I got attacked and its only happening on a server that cyberpanel installed, I think the attacker is exploiting zero days on cyberpanel.
I think the attacker is exploiting lscpd access and then gaining root access from it, and then they changed permitrootlogin on sshd and added their sshkeys on root .ssh, so they gaining permanent access.
I defended mine, please check yours.