Hello, all my cyberpanel domains are pointing to a zip file hosted on a discord server.
I already reviewed the files in the manager and found nothing. Is this virus at the root of the server?
Hello @Homeclb10
To identify use htop
apt install -y htop || yum install -y htop || dnf install -y htop
Reboot your server and open htop next to a browser with some of your websites open. Post a screenshot here
Another way would be to scan your server for malware using Lynis - Security auditing tool for Linux, macOS, and Unix-based systems - CISOfy | Lynis - Security auditing tool for Linux, macOS, and Unix-based systems - CISOfy
$ sudo apt-get install lynis
$ sudo lynis audit system
OR/AND
using Rootkit Hunter aka Rkhunter to scan for backdoors (the latest version is really old I would not rely on it)
$ wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz
$ tar -xvf rkhunter-1.4.6.tar.gz
$ cd rkhunter-1.4.6
$ ./installer.sh --layout default --install
[root@vmi345268 ~]# dnf install -y htop
Invalid configuration value: failovermethod=priority in /etc/yum.repos.d/litespeed.repo; Configuration: OptionBinding with id “failovermethod” does not exist
Invalid configuration value: failovermethod=priority in /etc/yum.repos.d/litespeed.repo; Configuration: OptionBinding with id “failovermethod” does not exist
Invalid configuration value: failovermethod=priority in /etc/yum.repos.d/litespeed.repo; Configuration: OptionBinding with id “failovermethod” does not exist
Invalid configuration value: failovermethod=priority in /etc/yum.repos.d/litespeed.repo; Configuration: OptionBinding with id “failovermethod” does not exist
CentOS-8 - Base 25 kB/s | 8.1 kB 00:00
Errors during downloading metadata for repository ‘BaseOS’:
- Status code: 404 for https://vault.centos.org/almalinux/8/BaseOS/x86_64/os/repodata/repomd.xml (IP: 13.224.103.96)
Error: Failed to download metadata for repo ‘BaseOS’: Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
[root@vmi345268 ~]#
I’m using Centos 8
The failover parameter has to be removed from the different files which hold the repository information for the different packages installed in AlmaLinux
## backup first
$ sed -iBAK '/^failovermethod=/d' /etc/yum.repos.d/*.repo
## remove
$ sed '/^failovermethod=/d' /etc/yum.repos.d/*.repo
$ dnf update && dnf install epel-release
$ dnf install htop
$ htop
[05:13:18] Info: Starting test name ‘system_commands’
[05:13:18] Checking system commands…
[05:13:18]
[05:13:18] Info: Starting test name ‘strings’
[05:13:18] Performing ‘strings’ command checks
[05:13:18] Scanning for string /usr/sbin/ntpsx [ OK ]
[05:13:18] Scanning for string /usr/sbin/…/bkit-ava [ OK ]
[05:13:18] Scanning for string /usr/sbin/…/bkit-d [ OK ]
[05:13:18] Scanning for string /usr/sbin/…/bkit-shd [ OK ]
[05:13:18] Scanning for string /usr/sbin/…/bkit-f [ OK ]
[05:13:18] Scanning for string /usr/include/…/proc.h [ OK ]
[05:13:18] Scanning for string /usr/include/…/.bash_history [ OK ]
[05:13:18] Scanning for string /usr/include/…/bkit-get [ OK ]
[05:13:18] Scanning for string /usr/include/…/bkit-dl [ OK ]
[05:13:18] Scanning for string /usr/include/…/bkit-screen [ OK ]
[05:13:18] Scanning for string /usr/include/…/bkit-sleep [ OK ]
[05:13:18] Scanning for string /usr/lib/…/bkit-adore.o [ OK ]
[05:13:18] Scanning for string /usr/lib/…/ls [ OK ]
[05:13:18] Scanning for string /usr/lib/…/netstat [ OK ]
[05:13:18] Scanning for string /usr/lib/…/lsof [ OK ]
[05:13:18] Scanning for string /usr/lib/…/bkit-ssh/bkit-shdcfg [ OK ]
[05:13:18] Scanning for string /usr/lib/…/bkit-ssh/bkit-shhk [ OK ]
[05:13:19] Scanning for string /usr/lib/…/bkit-ssh/bkit-pw [ OK ]
[05:13:19] Scanning for string /usr/lib/…/bkit-ssh/bkit-shrs [ OK ]
[05:13:19] Scanning for string /usr/lib/…/bkit-ssh/bkit-mots [ OK ]
[05:13:19] Scanning for string /usr/lib/…/uconf.inv [ OK ]
[05:13:19] Scanning for string /usr/lib/…/psr [ OK ]
[05:13:19] Scanning for string /usr/lib/…/find [ OK ]
[05:13:19] Scanning for string /usr/lib/…/pstree [ OK ]
[05:13:19] Scanning for string /usr/lib/…/slocate [ OK ]
[05:13:19] Scanning for string /usr/lib/…/du [ OK ]
[05:13:19] Scanning for string /usr/lib/…/top [ OK ]
[05:13:19] Scanning for string /usr/sbin/… [ OK ]
[05:13:19] Scanning for string /usr/include/… [ OK ]
[05:13:19] Scanning for string /usr/include/…/.tmp [ OK ]
[05:13:19] Scanning for string /usr/lib/… [ OK ]
[05:13:19] Scanning for string /usr/lib/…/.ssh [ OK ]
[05:13:19] Scanning for string /usr/lib/…/bkit-ssh [ OK ]
[05:13:19] Scanning for string /usr/lib/.bkit- [ OK ]
[05:13:19] Scanning for string /tmp/.bkp [ OK ]
[05:13:19] Scanning for string /tmp/.cinik [ OK ]
[05:13:19] Scanning for string /tmp/.font-unix/.cinik [ OK ]
[05:13:19] Scanning for string /lib/.sso [ OK ]
[05:13:20] Scanning for string /lib/.so [ OK ]
[05:13:20] Scanning for string /var/run/…dica/clean [ OK ]
[05:13:20] Scanning for string /var/run/…dica/dxr [ OK ]
[05:13:20] Scanning for string /var/run/…dica/read [ OK ]
[05:13:20] Scanning for string /var/run/…dica/write [ OK ]
[05:13:20] Scanning for string /var/run/…dica/lf [ OK ]
[05:13:20] Scanning for string /var/run/…dica/xl [ OK ]
[05:13:20] Scanning for string /var/run/…dica/xdr [ OK ]
[05:13:20] Scanning for string /var/run/…dica/psg [ OK ]
[05:13:20] Scanning for string /var/run/…dica/secure [ OK ]
[05:13:20] Scanning for string /var/run/…dica/rdx [ OK ]
[05:13:20] Scanning for string /var/run/…dica/va [ OK ]
[05:13:20] Scanning for string /var/run/…dica/cl.sh [ OK ]
[05:13:20] Scanning for string /var/run/…dica/last.log [ OK ]
[05:13:20] Scanning for string /usr/bin/.etc [ OK ]
[05:13:20] Scanning for string /etc/sshd_config [ OK ]
[05:13:20] Scanning for string /etc/ssh_host_key [ OK ]
[05:13:20] Scanning for string /etc/ssh_random_seed [ OK ]
[05:13:20] Scanning for string /dev/ptyp [ OK ]
[05:13:20] Scanning for string /dev/ptyq [ OK ]
[05:13:20] Scanning for string /dev/ptyr [ OK ]
[05:13:21] Scanning for string /dev/ptys [ OK ]
[05:13:21] Scanning for string /dev/ptyt [ OK ]
[05:13:21] Scanning for string /dev/fd/.88/freshb-bsd [ OK ]
[05:13:21] Scanning for string /dev/fd/.88/fresht [ OK ]
[05:13:21] Scanning for string /dev/fd/.88/zxsniff [ OK ]
[05:13:21] Scanning for string /dev/fd/.88/zxsniff.log [ OK ]
[05:13:21] Scanning for string /dev/fd/.99/.ttyf00 [ OK ]
[05:13:21] Scanning for string /dev/fd/.99/.ttyp00 [ OK ]
[05:13:21] Scanning for string /dev/fd/.99/.ttyq00 [ OK ]
[05:13:21] Scanning for string /dev/fd/.99/.ttys00 [ OK ]
[05:13:21] Scanning for string /dev/fd/.99/.pwsx00 [ OK ]
[05:13:21] Scanning for string /etc/.acid [ OK ]
[05:13:21] Scanning for string /usr/lib/.fx/sched_host.2 [ OK ]
[05:13:21] Scanning for string /usr/lib/.fx/random_d.2 [ OK ]
[05:13:21] Scanning for string /usr/lib/.fx/set_pid.2 [ OK ]
[05:13:21] Scanning for string /usr/lib/.fx/setrgrp.2 [ OK ]
[05:13:21] Scanning for string /usr/lib/.fx/TOHIDE [ OK ]
[05:13:21] Scanning for string /usr/lib/.fx/cons.saver [ OK ]
[05:13:21] Scanning for string /usr/lib/.fx/adore/ava/ava [ OK ]
[05:13:21] Scanning for string /usr/lib/.fx/adore/adore/adore.ko [ OK ]
[05:13:22] Scanning for string /bin/sysback [ OK ]
[05:13:22] Scanning for string /usr/local/bin/sysback [ OK ]
[05:13:22] Scanning for string /usr/lib/.tbd [ OK ]
[05:13:22] Scanning for string /dev/.lib/lib/lib/t0rns [ OK ]
[05:13:22] Scanning for string /dev/.lib/lib/lib/du [ OK ]
[05:13:22] Scanning for string /dev/.lib/lib/lib/ls [ OK ]
[05:13:22] Scanning for string /dev/.lib/lib/lib/t0rnsb [ OK ]
[05:13:22] Scanning for string /dev/.lib/lib/lib/ps [ OK ]
[05:13:22] Scanning for string /dev/.lib/lib/lib/t0rnp [ OK ]
[05:13:22] Scanning for string /dev/.lib/lib/lib/find [ OK ]
[05:13:22] Scanning for string /dev/.lib/lib/lib/ifconfig [ OK ]
[05:13:22] Scanning for string /dev/.lib/lib/lib/pg [ OK ]
[05:13:22] Scanning for string /dev/.lib/lib/lib/ssh.tgz [ OK ]
[05:13:22] Scanning for string /dev/.lib/lib/lib/top [ OK ]
[05:13:22] Scanning for string /dev/.lib/lib/lib/sz [ OK ]
[05:13:22] Scanning for string /dev/.lib/lib/lib/login [ OK ]
[05:13:22] Scanning for string /dev/.lib/lib/lib/in.fingerd [ OK ]
[05:13:22] Scanning for string /dev/.lib/lib/lib/1i0n.sh [ OK ]
[05:13:22] Scanning for string /dev/.lib/lib/lib/pstree [ OK ]
[05:13:22] Scanning for string /dev/.lib/lib/lib/in.telnetd [ OK ]
[05:13:23] Scanning for string /dev/.lib/lib/lib/mjy [ OK ]
[05:13:23] Scanning for string /dev/.lib/lib/lib/sush [ OK ]
[05:13:23] Scanning for string /dev/.lib/lib/lib/tfn [ OK ]
[05:13:23] Scanning for string /dev/.lib/lib/lib/name [ OK ]
[05:13:23] Scanning for string /dev/.lib/lib/lib/getip.sh [ OK ]
[05:13:23] Scanning for string /usr/info/.torn/sh* [ OK ]
[05:13:23] Scanning for string /usr/src/.puta/.1addr [ OK ]
[05:13:23] Scanning for string /usr/src/.puta/.1file [ OK ]
[05:13:23] Scanning for string /usr/src/.puta/.1proc [ OK ]
[05:13:23] Scanning for string /usr/src/.puta/.1logz [ OK ]
[05:13:23] Scanning for string /usr/info/.t0rn [ OK ]
[05:13:23] Scanning for string /dev/.lib [ OK ]
[05:13:23] Scanning for string /dev/.lib/lib [ OK ]
[05:13:23] Scanning for string /dev/.lib/lib/lib [ OK ]
[05:13:23] Scanning for string /dev/.lib/lib/lib/dev [ OK ]
[05:13:23] Scanning for string /dev/.lib/lib/scan [ OK ]
[05:13:23] Scanning for string /usr/src/.puta [ OK ]
[05:13:23] Scanning for string /usr/man/man1/man1 [ OK ]
[05:13:23] Scanning for string /usr/man/man1/man1/lib [ OK ]
[05:13:23] Scanning for string /usr/man/man1/man1/lib/.lib [ OK ]
[05:13:23] Scanning for string /usr/man/man1/man1/lib/.lib/.backup [ OK ]
[05:13:24]
[05:13:24] Info: Starting test name ‘shared_libs’
[05:13:24] Performing ‘shared libraries’ checks
[05:13:24] Checking for preloading variables [ None found ]
[05:13:24] Checking for preloaded libraries [ None found ]
[05:13:24]
[05:13:24] Info: Starting test name ‘shared_libs_path’
[05:13:24] Checking LD_LIBRARY_PATH variable [ Not found ]
[05:13:24]
[05:13:24] Info: Starting test name ‘properties’
[05:13:24] Performing file properties checks
[05:13:24] Warning: Checking for prerequisites [ Warning ]
[05:13:24] The file of stored file properties (rkhunter.dat) does not exist, and should be created. To do this type in ‘rkhunter --propupd’.
[05:13:24] Info: The file properties check will still run as there are checks that can be performed without the ‘rkhunter.dat’ file.
[05:13:24]
[05:13:24] Warning: WARNING! It is the users responsibility to ensure that when the ‘–propupd’ option
is used, all the files on their system are known to be genuine, and installed from a
reliable source. The rkhunter ‘–check’ option will compare the current file properties
against previously stored values, and report if any values differ. However, rkhunter
cannot determine what has caused the change, that is for the user to do.
[05:13:26] /usr/local/bin/rkhunter [ OK ]
[05:13:26] /usr/sbin/adduser [ OK ]
[05:13:26] /usr/sbin/chkconfig [ OK ]
[05:13:26] /usr/sbin/chroot [ OK ]
[05:13:27] /usr/sbin/depmod [ OK ]
[05:13:27] /usr/sbin/fsck [ OK ]
[05:13:27] /usr/sbin/fuser [ OK ]
[05:13:27] /usr/sbin/groupadd [ OK ]
[05:13:27] /usr/sbin/groupdel [ OK ]
[05:13:27] /usr/sbin/groupmod [ OK ]
[05:13:27] /usr/sbin/grpck [ OK ]
[05:13:27] /usr/sbin/ifconfig [ OK ]
[05:13:27] /usr/sbin/ifdown [ OK ]
[05:13:28] /usr/sbin/ifup [ OK ]
[05:13:28] /usr/sbin/init [ OK ]
[05:13:28] /usr/sbin/insmod [ OK ]
[05:13:28] /usr/sbin/ip [ OK ]
[05:13:28] /usr/sbin/lsmod [ OK ]
[05:13:28] /usr/sbin/modinfo [ OK ]
[05:13:28] /usr/sbin/modprobe [ OK ]
[05:13:28] /usr/sbin/nologin [ OK ]
[05:13:28] /usr/sbin/ping [ OK ]
[05:13:29] /usr/sbin/pwck [ OK ]
[05:13:29] /usr/sbin/rmmod [ OK ]
[05:13:29] /usr/sbin/route [ OK ]
[05:13:29] /usr/sbin/rsyslogd [ OK ]
[05:13:29] /usr/sbin/runlevel [ OK ]
[05:13:29] /usr/sbin/sestatus [ OK ]
[05:13:29] /usr/sbin/sshd [ OK ]
[05:13:29] /usr/sbin/sulogin [ OK ]
[05:13:29] /usr/sbin/sysctl [ OK ]
[05:13:30] /usr/sbin/useradd [ OK ]
[05:13:30] /usr/sbin/userdel [ OK ]
[05:13:30] /usr/sbin/usermod [ OK ]
[05:13:30] /usr/sbin/vipw [ OK ]
[05:13:30] /usr/bin/awk [ OK ]
[05:13:30] /usr/bin/basename [ OK ]
[05:13:30] /usr/bin/bash [ OK ]
[05:13:30] /usr/bin/cat [ OK ]
[05:13:30] /usr/bin/chattr [ OK ]
[05:13:30] /usr/bin/chmod [ OK ]
[05:13:31] /usr/bin/chown [ OK ]
[05:13:31] /usr/bin/cp [ OK ]
[05:13:31] /usr/bin/curl [ OK ]
[05:13:31] /usr/bin/cut [ OK ]
[05:13:31] /usr/bin/date [ OK ]
[05:13:31] /usr/bin/df [ OK ]
[05:13:31] /usr/bin/diff [ OK ]
[05:13:31] /usr/bin/dirname [ OK ]
[05:13:31] /usr/bin/dmesg [ OK ]
[05:13:31] /usr/bin/du [ OK ]
[05:13:31] /usr/bin/echo [ OK ]
[05:13:32] /usr/bin/egrep [ Warning ]
[05:13:32] Warning: The command ‘/usr/bin/egrep’ has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
[05:13:32] /usr/bin/env [ OK ]
[05:13:32] /usr/bin/fgrep [ Warning ]
[05:13:32] Warning: The command ‘/usr/bin/fgrep’ has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
[05:13:32] /usr/bin/file [ OK ]
[05:13:32] /usr/bin/find [ OK ]
[05:13:32] /usr/bin/grep [ OK ]
[05:13:32] /usr/bin/groups [ OK ]
[05:13:32] /usr/bin/head [ OK ]
[05:13:32] /usr/bin/id [ OK ]
[05:13:32] /usr/bin/ipcs [ OK ]
[05:13:33] /usr/bin/kill [ OK ]
[05:13:33] /usr/bin/killall [ OK ]
[05:13:33] /usr/bin/last [ OK ]
[05:13:33] /usr/bin/lastlog [ OK ]
[05:13:33] /usr/bin/ldd [ Warning ]
[05:13:33] Warning: The command ‘/usr/bin/ldd’ has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable
[05:13:33] /usr/bin/less [ OK ]
[05:13:33] /usr/bin/logger [ OK ]
[05:13:33] /usr/bin/login [ OK ]
[05:13:33] /usr/bin/ls [ OK ]
[05:13:33] /usr/bin/lsattr [ OK ]
[05:13:34] /usr/bin/md5sum [ OK ]
[05:13:34] /usr/bin/mktemp [ OK ]
[05:13:34] /usr/bin/more [ OK ]
[05:13:34] /usr/bin/mount [ OK ]
[05:13:34] /usr/bin/mv [ OK ]
[05:13:34] /usr/bin/netstat [ OK ]
[05:13:34] /usr/bin/newgrp [ OK ]
[05:13:34] /usr/bin/passwd [ OK ]
[05:13:34] /usr/bin/perl [ OK ]
[05:13:34] /usr/bin/pgrep [ OK ]
[05:13:35] /usr/bin/ping [ OK ]
[05:13:35] /usr/bin/pkill [ OK ]
[05:13:35] /usr/bin/ps [ OK ]
[05:13:35] /usr/bin/pstree [ OK ]
[05:13:35] /usr/bin/pwd [ OK ]
[05:13:35] /usr/bin/readlink [ OK ]
[05:13:35] /usr/bin/rpm [ OK ]
[05:13:35] /usr/bin/runcon [ OK ]
[05:13:35] /usr/bin/sed [ OK ]
[05:13:35] /usr/bin/sh [ OK ]
[05:13:35] /usr/bin/sha1sum [ OK ]
[05:13:36] /usr/bin/sha224sum [ OK ]
[05:13:36] /usr/bin/sha256sum [ OK ]
[05:13:36] /usr/bin/sha384sum [ OK ]
[05:13:36] /usr/bin/sha512sum [ OK ]
[05:13:36] /usr/bin/size [ OK ]
[05:13:36] /usr/bin/sort [ OK ]
[05:13:36] /usr/bin/ssh [ OK ]
[05:13:36] /usr/bin/stat [ OK ]
[05:13:36] /usr/bin/strace [ OK ]
[05:13:36] /usr/bin/strings [ OK ]
[05:13:36] /usr/bin/su [ OK ]
[05:13:37] /usr/bin/sudo [ OK ]
[05:13:37] /usr/bin/tail [ OK ]
[05:13:37] /usr/bin/telnet [ OK ]
[05:13:37] /usr/bin/test [ OK ]
[05:13:37] /usr/bin/top [ OK ]
[05:13:37] /usr/bin/touch [ OK ]
[05:13:37] /usr/bin/tr [ OK ]
[05:13:37] /usr/bin/uname [ OK ]
[05:13:37] /usr/bin/uniq [ OK ]
[05:13:37] /usr/bin/users [ OK ]
[05:13:37] /usr/bin/vmstat [ OK ]
[05:13:38] /usr/bin/w [ OK ]
[05:13:38] /usr/bin/watch [ OK ]
[05:13:38] /usr/bin/wc [ OK ]
[05:13:38] /usr/bin/wget [ OK ]
[05:13:38] /usr/bin/whatis [ OK ]
[05:13:38] /usr/bin/whereis [ OK ]
[05:13:38] /usr/bin/which [ OK ]
[05:13:38] /usr/bin/who [ OK ]
[05:13:38] /usr/bin/whoami [ OK ]
[05:13:38] /usr/bin/numfmt [ OK ]
[05:13:39] /usr/bin/kmod [ OK ]
[05:13:39] /usr/bin/systemctl [ OK ]
[05:13:39] /usr/bin/gawk [ OK ]
[05:13:40] /usr/libexec/nm-ifdown [ Warning ]
[05:13:40] Warning: The command ‘/usr/libexec/nm-ifdown’ has been replaced by a script: /usr/libexec/nm-ifdown: Bourne-Again shell script, ASCII text executable
[05:13:40] /usr/libexec/nm-ifup [ Warning ]
[05:13:40] Warning: The command ‘/usr/libexec/nm-ifup’ has been replaced by a script: /usr/libexec/nm-ifup: Bourne-Again shell script, ASCII text executable
[05:13:40] /usr/libexec/gawk [ OK ]
[05:13:41] /usr/lib/systemd/systemd [ OK ]
[05:13:42] /etc/rkhunter.conf [ OK ]
Checking for RH-Sharpe’s Rootkit…
[05:14:20] Checking for file ‘/bin/lps’ [ Not found ]
[05:14:20] Checking for file ‘/usr/bin/lpstree’ [ Not found ]
[05:14:20] Checking for file ‘/usr/bin/ltop’ [ Not found ]
[05:14:20] Checking for file ‘/usr/bin/lkillall’ [ Not found ]
[05:14:20] Checking for file ‘/usr/bin/ldu’ [ Not found ]
[05:14:20] Checking for file ‘/usr/bin/lnetstat’ [ Not found ]
[05:14:20] Checking for file ‘/usr/bin/wp’ [ Found ]
[05:14:20] Checking for file ‘/usr/bin/shad’ [ Not found ]
[05:14:20] Checking for file ‘/usr/bin/vadim’ [ Not found ]
[05:14:20] Checking for file ‘/usr/bin/slice’ [ Not found ]
[05:14:20] Checking for file ‘/usr/bin/cleaner’ [ Not found ]
[05:14:20] Checking for file ‘/usr/include/rpcsvc/du’ [ Not found ]
[05:14:20] Warning: RH-Sharpe’s Rootkit [ Warning ]
[05:14:20] File ‘/usr/bin/wp’ found
[05:13:24] Warning: WARNING! It is the users responsibility to ensure that when the ‘–propupd’ option
is used, all the files on their system are known to be genuine, and installed from a
reliable source. The rkhunter ‘–check’ option will compare the current file properties
against previously stored values, and report if any values differ. However, rkhunter
cannot determine what has caused the change, that is for the user to do.
[05:13:26] /usr/local/bin/rkhunter [ OK ]
[05:13:26] /usr/sbin/adduser [ OK ]
[05:13:26] /usr/sbin/chkconfig [ OK ]
[05:13:26] /usr/sbin/chroot [ OK ]
[05:13:27] /usr/sbin/depmod [ OK ]
[05:13:27] /usr/sbin/fsck [ OK ]
[05:13:27] /usr/sbin/fuser [ OK ]
[05:13:27] /usr/sbin/groupadd [ OK ]
[05:13:27] /usr/sbin/groupdel [ OK ]
[05:13:27] /usr/sbin/groupmod [ OK ]
[05:13:27] /usr/sbin/grpck [ OK ]
[05:13:27] /usr/sbin/ifconfig [ OK ]
[05:13:27] /usr/sbin/ifdown [ OK ]
[05:13:28] /usr/sbin/ifup [ OK ]
[05:13:28] /usr/sbin/init [ OK ]
[05:13:28] /usr/sbin/insmod [ OK ]
[05:13:28] /usr/sbin/ip [ OK ]
[05:13:28] /usr/sbin/lsmod [ OK ]
[05:13:28] /usr/sbin/modinfo [ OK ]
[05:13:28] /usr/sbin/modprobe [ OK ]
[05:13:28] /usr/sbin/nologin [ OK ]
[05:13:28] /usr/sbin/ping [ OK ]
[05:13:29] /usr/sbin/pwck [ OK ]
[05:13:29] /usr/sbin/rmmod [ OK ]
[05:13:29] /usr/sbin/route [ OK ]
[05:13:29] /usr/sbin/rsyslogd [ OK ]
[05:13:29] /usr/sbin/runlevel [ OK ]
[05:13:29] /usr/sbin/sestatus [ OK ]
[05:13:29] /usr/sbin/sshd [ OK ]
[05:13:29] /usr/sbin/sulogin [ OK ]
[05:13:29] /usr/sbin/sysctl [ OK ]
[05:13:30] /usr/sbin/useradd [ OK ]
[05:13:30] /usr/sbin/userdel [ OK ]
[05:13:30] /usr/sbin/usermod [ OK ]
[05:13:30] /usr/sbin/vipw [ OK ]
[05:13:30] /usr/bin/awk [ OK ]
[05:13:30] /usr/bin/basename [ OK ]
[05:13:30] /usr/bin/bash [ OK ]
[05:13:30] /usr/bin/cat [ OK ]
[05:13:30] /usr/bin/chattr [ OK ]
[05:13:30] /usr/bin/chmod [ OK ]
[05:13:31] /usr/bin/chown [ OK ]
[05:13:31] /usr/bin/cp [ OK ]
[05:13:31] /usr/bin/curl [ OK ]
[05:13:31] /usr/bin/cut [ OK ]
[05:13:31] /usr/bin/date [ OK ]
[05:13:31] /usr/bin/df [ OK ]
[05:13:31] /usr/bin/diff [ OK ]
[05:13:31] /usr/bin/dirname [ OK ]
[05:13:31] /usr/bin/dmesg [ OK ]
[05:13:31] /usr/bin/du [ OK ]
[05:13:31] /usr/bin/echo [ OK ]
[05:13:32] /usr/bin/egrep [ Warning ]
[05:13:32] Warning: The command ‘/usr/bin/egrep’ has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
[05:13:32] /usr/bin/env [ OK ]
[05:13:32] /usr/bin/fgrep [ Warning ]
[05:13:32] Warning: The command ‘/usr/bin/fgrep’ has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
[05:13:32] /usr/bin/file [ OK ]
[05:13:32] /usr/bin/find [ OK ]
[05:13:32] /usr/bin/grep [ OK ]
[05:13:32] /usr/bin/groups [ OK ]
[05:13:32] /usr/bin/head [ OK ]
[05:13:32] /usr/bin/id [ OK ]
[05:13:32] /usr/bin/ipcs [ OK ]
[05:13:33] /usr/bin/kill [ OK ]
[05:13:33] /usr/bin/killall [ OK ]
[05:13:33] /usr/bin/last [ OK ]
[05:13:33] /usr/bin/lastlog [ OK ]
[05:13:33] /usr/bin/ldd [ Warning ]
[05:13:33] Warning: The command ‘/usr/bin/ldd’ has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text
Are you running wordpress or joomla sites that have been redirected ? The vulnerability might be in those wordpress or joomla sites
The same thing happening to me. I have 2 servers and in both, I am using Cyberpanel and there 5 websites all are using WordPress. I tried to do a fresh install of WordPress but the domain was still redirecting to the discord server instead of WordPress when I used an HTML template it was working fine. And one more thing I noticed is that it is redirecting only on desktop devices on mobile devices the site works fine.
I was facing issues with my websites also. I was using WordPress and Cloudflare. I Just paused Cloudflare for the sites and the problem was fixed.