What are the next steps to recover from the hack? I was able to get my server running from a backup (lost some data but nothing too bad) but now I feel something more needs to be done.
Can the dev team lay out the steps now that the server data has been exposed? The MySQL root password needs changing, right? What else needs changing? Can the dev team create a full list along with the commands to run?
Thanks.
You can try this hope so this will solve the issue properly
first check CPU usage is still normal
Here some steps:
sudo systemctl stop bot.service
sudo systemctl disable bot.service
sudo pkill -f kdevtmpfsi
sudo pkill -f kissing
sudo rm -f /tmp/kdevtmpfsi
sudo rm -f /etc/kinsing
Also check: sudo crontab -e
sudo rm -f /etc/cron.hourly/kinsing /etc/cron.daily/kinsing /etc/cron.d/kinsing
Also check your connections with:
sudo netstat -tulnp
And update cyberpanel to the latest version
if you don’t use ssh, make sure that’s disabled also, if you use it, use it via private-key
Thank you but this wasnt the question. I have my server running properly but the passwords etc. are out in the wild. I want to know what stuff we need to change on the server after recovery.
Upgrade to the latest. For me, I think the infected files are still there. Not sure where to remove them. But had removed almost many of them. And I disabled SSH from AWS console as I am using EC2. That fixed from happening it again. Make sure to upgrade, that will fix the exploit.
All my Crons was removed and added the atdb malware. After the upgrade to the latest (2.3.8), it was all restored. Now need to wait till tomorrow to check if the automated Google backups are working or not as they are crucial for emails.