Thank you. However, I have done that, it didn’t solve the issue.
Actually, the downtime is not only within my horizon, but across the web. Cyberpanel admin cannot be accessed, likewise all sites hosted aren’t accessible .
-
Post the contents of running this command
nano /home/cyberpanel/error-logs.txtandnano /usr/local/lsws/logs/error.log -
Setup
htopand run side-by-side with your favourite browser until you see the error:
apt install -y htop || yum install -y htop || dnf install -y htop
Take a screenshot or a video and post it on youtube I see what is going on
1 Like
Here are some images:
thanks
Your server is hacked. Your server have crypto mining xmrig installed. If I would be you I would spin new server with new SSH keys and basic security hardening and migrate everything there.
1 Like
thank you very much !
How do i migrate from centos7 with cyberpanel to another server ?
You need to use remote backup function or do it manually from backup’s.
Try look Cron jobs what install and start xmrig and find SSH key what hacker have used to get access to your root and delete those. After that kill xmrig process and delete xmrig files. Then you should have access to cyberpanel admin area and remote backup feature.
If you won’t manage get access to admin area and don’t have backup’s. Then you need move with ssh site files and database’s to new server or use SSH credintials on SFTP client to download and move those.
No need to do this.
-
Use an earlier snapshot of your server if you do not need any data on the server currently.
-
Do you have imunify 360? You can use Malware Cleanup In Imunify
-
Drop centos7 its near its EOL. I prefer and use AlamaLinux 8 or Ubuntu 20.04.
Take necessary precautions to harden your distro e.g.
- Disable root ssh login
- Change ssh port 22 to another open port
- Install rkhunter to hunt for rootkits
- Using a reputable IPS personally i detest fail2ban
- Use Lynis to detect any weaknesses in your system
- Using PAM, Apparmor etc
There are a million things you can do to protect your server.
2 Likes
Well detailed information from you.
Appreciated !
Firstly; Well before i proceed, as i do not have an earlier snapshot, how do i kill the p2pclient of the malware, and delete it. ? This is because there are important files on the server.
Secondly, how do i get the cyberpanel or any of the site online inorder to manually take some files out.?
Thanks
Also, here is list of enabled and disabled system services, kindly take a look.
best
Do you have docker installed?
I only installed Cyberpanel.
Oh ok seems you are running container runtime called containerd confirm with your service provider. If not then the bad actor downloaded docker on your rhel server and has overrun your server with multiple malware. Am seeing a process that looks like a bot, a peer-to-peer client that has added your server to a network most probably a botnet (worst case scenario).
Cause of action:
- Get Imunify 360 trial or just pay for a month to clean up your server See this https://cloudlinux.zendesk.com/hc/en-us/articles/360011038753-Imunify360-Malware-Cleanup-FAQ-Admin-Part-
- If your server has been totally infected to the point Imunify cannot even install then just reinstall the os and upgrade all packages plus get Imunify 360 as soon as its restored. Please do not use CentOs 7
1 Like
You are definitely right.
I traced the server, pointed to a Threat Scanner server hosted with chinatelecom.
If i reinstall OS, will Cyberpanel and all sites still be intact ?
Here is a snapshot of Imunify360 installation which i’m currently re-trying to install:
Could this be a control panel compatible issue, as i try to follow steps of installation no matter the control panel in use ?
Damn did you have important content on that server? Do you have any backups?
No snapshots or backups, just a new server, but with important info, i wish i could either enable / start any system service preventing connection to the outside world inorder to access the panel atleast.
------------------Due to new user restriction on reply, here are my updates and relies -----
Yes, indeed, i was able to access the public folder on one site.
Kindly take a look.
But the mysql, couldn’t
Can you access mysql through the console?
Can you access /home/myclientsdomain.net/public_html?
If you cannot access both or both paths do not exist then no luck you have to reinstall the server os
Kindly move to a service provider that offers backups as an addon or snapshot management. This will save you this kind of hustle
1 Like
Update to the Issue.
I was able to access my home directory, and mysql database files. I had to first, dump databaseses, then used SCP, copy database
(.sql ) files from the server to my local machine ( in this case my physical MAC ).
The server will be destroyed.
After much observation, i realized, that the attacker from China had a way he got through via Cyberpanel on Centos 7.
PS**. DO NOT use Cyberpanel on CentOs 7, you should use Cyberpanel on other OS, Ubuntu is preferable.
Issue solved !
This topic was automatically closed 3 hours after the last reply. New replies are no longer allowed.