The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Malware

Discussion in 'Security' started by marsm, Nov 29, 2013.

  1. marsm

    marsm Member

    Joined:
    Jan 17, 2013
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I received the following email from my hosts - I have a dedicated centos server with cpanel. I have been informed that was a fault with cpanel and that I now have malware and the only fix is to reinstall the os. This is a massive process, and I cannot believe there isn't a fix for this that does not entail an os reinstall. Any advice would be greatly appreciated.

    Here's the email:

     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    The SSHD backdoor has nothing to do with cPanel. It can be installed on any machine running SSHD if the machine was compromised on a root level.

    Sorry to say it, but if a server is compromised on a root level you really should let them reinstall the OS. Yes, you could replace the compromised SSHD library (libkeyutils) and restart the service to remove that backdoor, but there is no telling what other areas of your system may be compromised beyond repair.

    I'd start here:
    Determine Your System's Status

    If the rpm verification for libkeyutils fails or the symlink goes to a file that does not belong to an RPM, your system is indeed owned (rooted) and you should reinstall your OS.
     
  3. marsm

    marsm Member

    Joined:
    Jan 17, 2013
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks for the insights and advice guys - I'm probably going to do a reinstall shortly; how do I protect myself so that this doesn't happen again?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Security advisor is a good place to start.

    Root compromises usually result from either out-dated kernel versions allowing a web app hack to escalate priveleges, or a compromise of the root password.

    The first is easy to defend against; when a new kenel comes out, install it and reboot to make it active.

    The second you can help with by doing things like disallowing direct root ssh login, and firewalling your WHM port off to only trusted IP addresses.
     
Loading...

Share This Page