Infected with xmRIG virus

I just checked all my servers and none have that.
How you login on ssh use password or key? Can your computer be infected?

I’m using Xshell 7 and logging in as root

Is it legit Xshell 7 or cracked? Sounds weird that multiple server get xmrig on root. You should check your computer not have any malware.

The free version of Xshell 7 is available from the official website

I checked my Win11 system, no malicious programs

Try install fresh server with ssh keys, disable password login and root login. Use official install script, not any ready image or marketplace.

Everyone must upgrade their CyberPanel installations and if you are not technical enough then upgrade your CyberPanel move out to fresh CyberPanel installation.

As recently there is a security release: Change Logs

I am using the official website installation command, should be the latest version

I deployed two VPS servers with Ubuntu 20.04 from Vultr yesterday to test something out quickly. I installed CyberPanel and nothing else. Today both of them are infected with xmrig. Surely the root password from Vultr is secure enough, so the main vulnerability path would be that I left CyberPanel’s admin password as default 1234567. I also didn’t configure any of the security settings, firewall etc…

Any thoughts on what might have happened?

I can’t investigate further, since I immediately deleted both servers. But if someone can give some instructions on what I should log, I’m happy to set up a new VPS with the same config and just leave it to get hacked again.

Just checked all my servers and not affected by this.

Maybe as @nick.chomey mentioned, could it be due to unsecured password for the admin user?

My main server is fine, though this motivated me to finally secure it further. I just did the following:

  1. Create another user and give it root privileges and set up to connect with my PubKey.
  2. In /etc/ssh/sshd_config, set PermitRootLogin and PasswordAuthentication to no

Though, now that I’ve done this and looked around a bit, what I’m guessing is that with a default CyberPanel pw, anyone could log into the server and add an ssh key at https://site.com:8090/firewall/secureSSH, which would presumably give them full root access without any passwords.

Am I missing something? If not, is this a feature that should even exist within the panel?

And should we even be permitted to install CyberPanel with the default password? I think it would be prudent to force users to either choose one or have a random one set by a command like openssl rand 60 | openssl base64 -A and then it is printed at the end of setup.

To test all of this, I’m currently deploying a new VPS where I will keep the default cyberpanel pw and i will try to add a publickey to it and then try to connect to the server like that without “knowing” the root password.

@usmannasir I just successfully hacked my new vps server in 10 seconds with the above method.

I installed CyberPanel with the default password 1234567, went to Security->Secure SSH and added the PubKey for my computer. Then from my ssh client I connected to the server with the IP, root username and my private key. Anyone could use their own key, so long as they have the cyberpanel password.

I think it is crucial to disable the default pw option, and make the default option random. If you want a dumb pw for some quick testing purposes, you should have to enter it manually and receive a warning about it.

I also see that the random is only 16 characters, from this mechanism head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16

Shouldnt it be made considerably longer? There’s no real reason it couldn’t be 50+ characters.

Moreover, how is this even possible? Should the cyberpanel user even have root access such that it can add the public key for the root user’s home directory?

I will leave this vps up and running and wait for it to get hacked again. I’ll try to investigate when it does happen. Any suggestions for what to do and look for are welcomed.

Hi, Nick. I appreciate you taking those tests
I am a beginner of Linux, I only know that I am infected with XMRig virus, but I do not know how to remove it, after your testing, do you find the problem now
What can I do to make my server more secure

@wang I would suggest deploying a new server and moving your websites to it. Set a strong password for the cyberpanel admin account, create a new system user and give it sudo privileges, turn off root login access, set up an ssh private/public key for the new user, install CSF, and other things.

If this is all too complicated, I would recommend checking out CloudPages, RunCloud or GridPane. They all offer excellent and easy VPS server management for an affordable price.

Do you want to give root permission to the new user

How do I set the SSH private key or public key

How to install CSF

recommended manual installation

then try other provider… or install OS only… then scan it… if clean… do manual installation
if clean…then the problem is on your provider’s pre-installed img.

are you sure ?
better to test manual installation

me too
and multitimes destroy and reinstall

agree

what av do you use ?


btw… are you using nulled script or GPL CMS ???

It is quite obvious to not use 123456 as password. I wonder how come people are using the 123456 as password? Atleast change it to something personalized and stronger password. Its like setting your bank password as 123456 and expect not to get hacked/robbed.

1 Like

HOW THE XMRIG TROJAN VIRUS SNEAKS ONTO YOUR COMPUTER SYSTEM - Orenda Security

It is quite obvious to not use 123456 as password

Agreed - so why is it not just an option, but the default option in the CyberPanel install? That should change immediately such that a long random password is the default.

Any thoughts about my other concerns regarding whether cyberpanel user should be able to manage the root user’s SSH keys?

To make the installation process simplified. Users are given 3 choice regarding selecting the password for the admin user:

  1. default
  2. random
  3. set

If selected default, it will be 123456 (its also mentioned while selecting the password option in the installer section)
If selected random, it will generate a long random password (which you will need to note down)
If selected set, you can set your own password (although the characters wont be visible while typing the password in the ssh screen)

So, I dont think there is anything more to be done here as all options are already provided. Even though a user select default 123456 as password for convenience after installation and getting through the login, they do are aware of this weak password and should be changing it quite naturally.

Regarding SSH key, every panel stores the key to get it connected to the server. But this should be accessible only from admin level user at cyberpanel and not the user and reseller level users. I havent checked if normal users too are allowed to change the ssh keys (will check that too)

I’m well aware of the installation password options - I described them a few times above. What I’m saying is that the default option should be random or set your own, not 1234567. In fact, that shouldn’t even be an option. There is no reason for it. If you want a weak password, you should set it yourself. It shouldn’t be weak by default and publicly known.

For the ssh key, I’m curious how it works because as far as I can tell, cyberpanel user doesn’t have sudo privileges.