My cyberpanel server:8090 refused to Suddenly load. All sites refused to connect.
But i can login via root ssh.
On 3 occasions, same thing happened, but after restarting server from root ssh, it came back online.
As i write, sites have been off for 15 hours, i have restarted server, resized my server to allocate higher vcpu, and ram, bandwidth, still no result.
I will kindly and humbly appeal for an assistance.
Try allow your IP with CSF from SSH use
csf -a [IP.add.re.ss] or try with VPN if your own IP got blocked for some reason.
Welcome @simdia Happy you are here
Flush DNS cache:
ipconfig /flushdnson windows or
dscacheutil -flushcache; sudo killall -HUP mDNSResponderon macos or
systemd-resolve --flush-cacheson ubuntu
Thank you. However, I have done that, it didn’t solve the issue.
Actually, the downtime is not only within my horizon, but across the web. Cyberpanel admin cannot be accessed, likewise all sites hosted aren’t accessible .
Post the contents of running this command
htopand run side-by-side with your favourite browser until you see the error:
apt install -y htop || yum install -y htop || dnf install -y htop
Take a screenshot or a video and post it on youtube I see what is going on
Here are some images:
Your server is hacked. Your server have crypto mining xmrig installed. If I would be you I would spin new server with new SSH keys and basic security hardening and migrate everything there.
thank you very much !
How do i migrate from centos7 with cyberpanel to another server ?
You need to use remote backup function or do it manually from backup’s.
Try look Cron jobs what install and start xmrig and find SSH key what hacker have used to get access to your root and delete those. After that kill xmrig process and delete xmrig files. Then you should have access to cyberpanel admin area and remote backup feature.
If you won’t manage get access to admin area and don’t have backup’s. Then you need move with ssh site files and database’s to new server or use SSH credintials on SFTP client to download and move those.
No need to do this.
Use an earlier snapshot of your server if you do not need any data on the server currently.
Do you have imunify 360? You can use Malware Cleanup In Imunify
Drop centos7 its near its EOL. I prefer and use AlamaLinux 8 or Ubuntu 20.04.
Take necessary precautions to harden your distro e.g.
- Disable root ssh login
- Change ssh port 22 to another open port
- Install rkhunter to hunt for rootkits
- Using a reputable IPS personally i detest fail2ban
- Use Lynis to detect any weaknesses in your system
- Using PAM, Apparmor etc
There are a million things you can do to protect your server.
Well detailed information from you.
Firstly; Well before i proceed, as i do not have an earlier snapshot, how do i kill the p2pclient of the malware, and delete it. ? This is because there are important files on the server.
Secondly, how do i get the cyberpanel or any of the site online inorder to manually take some files out.?
Also, here is list of enabled and disabled system services, kindly take a look.
Do you have docker installed?
I only installed Cyberpanel.
Oh ok seems you are running container runtime called containerd confirm with your service provider. If not then the bad actor downloaded docker on your rhel server and has overrun your server with multiple malware. Am seeing a process that looks like a bot, a peer-to-peer client that has added your server to a network most probably a botnet (worst case scenario).
Cause of action:
- Get Imunify 360 trial or just pay for a month to clean up your server See this https://cloudlinux.zendesk.com/hc/en-us/articles/360011038753-Imunify360-Malware-Cleanup-FAQ-Admin-Part-
- If your server has been totally infected to the point Imunify cannot even install then just reinstall the os and upgrade all packages plus get Imunify 360 as soon as its restored. Please do not use CentOs 7
You are definitely right.
I traced the server, pointed to a Threat Scanner server hosted with chinatelecom.
If i reinstall OS, will Cyberpanel and all sites still be intact ?
Here is a snapshot of Imunify360 installation which i’m currently re-trying to install:
Could this be a control panel compatible issue, as i try to follow steps of installation no matter the control panel in use ?
Damn did you have important content on that server? Do you have any backups?
No snapshots or backups, just a new server, but with important info, i wish i could either enable / start any system service preventing connection to the outside world inorder to access the panel atleast.
------------------Due to new user restriction on reply, here are my updates and relies -----
Yes, indeed, i was able to access the public folder on one site.
Kindly take a look.
But the mysql, couldn’t