Hi, Someone is able to install a .x folder in my root, the folder contains 2 files its flagged as a virus in virustotal and its infact a crypto currency mining software, i noticed it immediately because my cpu usage goes to 70 percent when this virus is installed
I checked several time and no one know my passwords, I have file2ban enforced to prevent brutforce attacks, and i checked the logs nobody connected using my password, yet they are able to put a .x folder in my root
I deleted everything once and it was normal for a few weeks, but they installed it again a few days ago and I deleted it again
How can they put folder in my root without my passwords ?
It appears your Cyberpanel installation has been compromised by crypto mining malware. This is a common problem with several possible attack vectors that don’t necessarily require your password. Let me outline the likely causes and solutions:
Possible Attack Vectors
Recent CyberPanel Vulnerability (October 2024): CyberPanel recently suffered from critical vulnerabilities (CVE-2024-51567 and CVE-2024-51568) that allowed for unauthenticated remote code execution, which attackers exploited to deploy cryptocurrency miners and ransomware across thousands of servers. If you haven’t updated to the latest version, this could be the entry point.
Redis Service Vulnerability: If you have Redis running without proper authentication, this service has a well-known remote code execution vulnerability that can be exploited for cryptomining attacks.
Kernel Exploits: Some Linux malware uses kernel-level rootkits to hide their mining operations. Skidmap, for example, hooks system calls like getdents to hide specific files and uses netlink rootkits to fake network traffic statistics and CPU load information.
Persistence Mechanisms: Crypto mining malware often maintains persistence on the target system by modifying files like rc.local, which runs during system boot with root privileges.
Web Application Vulnerabilities: If you’re running websites, especially with PHP or outdated content management systems, these can provide entry points for attackers.
Recommended Solutions
First, update CyberPanel to the latest version immediately.
Check for and remove the crypto mining malware.
Implement the security hardening measures.
Consider a complete system audit to ensure no backdoors remain.
Regularly monitor system performance and security logs.
If this issue persists after these steps, you might need to consider a fresh installation of your server to ensure complete removal of any hidden backdoors or persistent malware, this means that a fresh installation of both Linux such as Ubuntu 22.04 and Cyberpanel.
Note** I also suggest that you move to another hosting service and if you need a recommendation please reply, I hope this helps.
I did not update my cyberpanel because I was worried that if I do, everything will break, i cant allow this server to break, i read on this forum that somebody made the update and his server was no longer functionning, how risky it is to make that update ?
The good thing about Cyberpanel updates is that even if it breaks, your websites do not go down as CyberPanel is not tied to open LiteSpeed or MySQL/mariadb.
If CyberPanel breaks, your websites will be up and you can troubleshoot the Cyberpanel interface in the meantime.
This allows you to ensure you CyberPanel isn’t compromised which in turn will still compromise your websites depending on the level of exploit.
Alternatively, block all connections to 8090 and whitelist your IP. This would mean having a static IP or SSH into the machine and whitelist it.
