Multiple Cyberpanel Servers Got Hacked

I have multiple cyberpanel servers that got hacked. Hackers created subdirectories like /library and /apply. These subdirectories are then installed with job websites.

Some servers keep having 100% cpu usage. There is a “kthread” process that keeps using up all CPU resources.

How do I secure my servers now? So many websites have been affected.

You can try this.

I have followed the instructions to clear the malware. However, I still have one server that has a process “kthread” that uses 100% of cpu. How can this process be removed? Killing it kills all the websites.

You should backup and restore somewhere else.

This process seems to be a kernel process take senior advisise or your server admin advise.

Technical support gave reply that server has been hit with cypto malware. It is related to cyberpanel’s recent hacks. They suggest that I move my websites to a new server and destroy the current one.
Can cyberpanel fix this problem? If not I will move my websites to a new server.
The current problem is there are two /opt/.kthread/kthread that kept using up all cpu resources.

I tried this to clear the malware on another server. A few hours later, my server got hit again. I still got two servers with 100% or 300% cpu usage. One is Kthread and the other xmrig process.

I don’t think this script works anymore. The malware keeps coming back eventhough I have updated cyberpanel to latest version.

because Cyberpanel is one big flaw, get another panel and reinstall the server. The malware has already got all available, so only reinstallation.

Yes this script only works with kinsing.

There’s they are releasing updated frequently but as well you can see servers and panels are getting down everytime. The best option is changing your panel. And follow the security measures.

There are more than one malware. Some of my websites have job portal website installed. Some have cypto mining process running in server. Cyberpanel admins should have listed out all the issues.

I hope you tried the kinsing script. And is it working?

If your site is working and you are able to login your wp-admin, then it is better to take backup and create a new server with xcloud host and serveravatar like control panel.

You can use ClamAV and LMD to find and remove virus from your server but it is better to create a new server.

Also, don’t forget to check cronjob, tmp, ssh and root directory while scanning.

Lesson that everybody should learn from this incident — never blindly trust on this type of control panel. Try xcloud host or ServerAvatar type of control panel.

The kinsing script doesn’t work even though it detected malware. I solved the problem by removing the cypto mining malware. This solved the 100% CPU usage problem. Then moved all my websites to another server. Without removing the cypto mining malware, it’s not possible to do anything as the CPU is always at 100%.

Thanks for the advice. xcloud host or ServerAvatar are not freeware. Those can be compared to Cpanel and Plesk. Should compare cyberpanel to freeware panels like webmin+virtualmin or cloudpanel+mailcow, aapanel and etc. I have tried those and coming back to cyberpanel. Hopefully cyberpanel team can make their panel more secure.

You’re right. It is not good to compare a premium service to the freeware control panel.

But first thing, I am not comparing CyberPanel with any other control panel. I am just giving suggestions. Comparison and suggestions are two different thing.

Second thing, I suggested xcloud.host ServerAvatar for those who are looking for a free alternative control panel and these both has free option. You can manage 1 server with 10 websites on xcloudhost without paying anything and live support is awesome.

CyberPanel is also a good panel with good performance. If you want to use it, then you can but is somebody may get better option than what is wrong to suggest them.

Currently, CloudPanel is a good option compared to aapanel, CyberPanel, and others. CyberPanel is too buggy. My 60% clients are switched to the CloudPanel and other are switching to others web based panel.

Note: I am affiliated with any of these software/panel.

I have over 60 servers running CyberPanel/Not a single server or site has been compromised.
The recipe is simple:

  1. Regular updates (automated)
  2. Disabled lscpd
  3. All servers without root (access by ssh key)
  4. Crowdsec
1 Like
  1. My servers are the latest version when it was hacked as the loophole was in the latest version.
  2. Disable LSCPD? I googled it and got the following warning. modify the settings to disable the LSCPD service; be cautious as disabling this security feature could potentially leave your server more vulnerable; it’s generally recommended to consult with your hosting provider before making such changes.
  3. All servers have disabled SSH. It didn’t help with the latest incident but I think it will help in others.
  4. Crowdsec won’t help stop the hack that happened on my servers. But I am sure it will help in others.

I have been studying how to hide cyberpanel from being detected. I have done the following.

  1. Change cyberpanel admin port from 8090 to other port number
  2. Limit IP access to cyberpanel admin
    Anyone have other suggestions?