I have multiple cyberpanel servers that got hacked. Hackers created subdirectories like /library and /apply. These subdirectories are then installed with job websites.
Some servers keep having 100% cpu usage. There is a “kthread” process that keeps using up all CPU resources.
How do I secure my servers now? So many websites have been affected.
You can try this.
I have followed the instructions to clear the malware. However, I still have one server that has a process “kthread” that uses 100% of cpu. How can this process be removed? Killing it kills all the websites.
You should backup and restore somewhere else.
This process seems to be a kernel process take senior advisise or your server admin advise.
Technical support gave reply that server has been hit with cypto malware. It is related to cyberpanel’s recent hacks. They suggest that I move my websites to a new server and destroy the current one.
Can cyberpanel fix this problem? If not I will move my websites to a new server.
The current problem is there are two /opt/.kthread/kthread that kept using up all cpu resources.
I tried this to clear the malware on another server. A few hours later, my server got hit again. I still got two servers with 100% or 300% cpu usage. One is Kthread and the other xmrig process.
I don’t think this script works anymore. The malware keeps coming back eventhough I have updated cyberpanel to latest version.
because Cyberpanel is one big flaw, get another panel and reinstall the server. The malware has already got all available, so only reinstallation.
Yes this script only works with kinsing.
There’s they are releasing updated frequently but as well you can see servers and panels are getting down everytime. The best option is changing your panel. And follow the security measures.
There are more than one malware. Some of my websites have job portal website installed. Some have cypto mining process running in server. Cyberpanel admins should have listed out all the issues.
I hope you tried the kinsing script. And is it working?
If your site is working and you are able to login your wp-admin, then it is better to take backup and create a new server with xcloud host and serveravatar like control panel.
You can use ClamAV and LMD to find and remove virus from your server but it is better to create a new server.
Also, don’t forget to check cronjob, tmp, ssh and root directory while scanning.
Lesson that everybody should learn from this incident — never blindly trust on this type of control panel. Try xcloud host or ServerAvatar type of control panel.