Malware

marsm · Nov 29, 2013

I received the following email from my hosts - I have a dedicated centos server with cpanel. I have been informed that was a fault with cpanel and that I now have malware and the only fix is to reinstall the os. This is a massive process, and I cannot believe there isn't a fix for this that does not entail an os reinstall. Any advice would be greatly appreciated.

Here's the email:

The malware we are talking about is a system base infection (sshd) that provide a backdoor root access to a hacker, spy and steal password.

This is why we invite you to re-install the server.

Thank you to provide us the result of the following commands:

# procnumber=$(ps aux | grep "/usr/sbin/sshd" | grep -v grep | awk '{print $2}') && gcore $procnumber && strings -a core.$procnumber | egrep "Version 1.3|g:sshd:1|key:1|g:%s:%s|u:%s:%s|ssh:1|getspnam|ekfwbqltizpdvurjnacshxogym|Sniffing packet"

# rpm -V keyutils-libs

# lsof -Pni | grep

More discussion on (cpanel forum):
Determine Your System's Status

quizknows · Nov 30, 2013

The SSHD backdoor has nothing to do with cPanel. It can be installed on any machine running SSHD if the machine was compromised on a root level.

Sorry to say it, but if a server is compromised on a root level you really should let them reinstall the OS. Yes, you could replace the compromised SSHD library (libkeyutils) and restart the service to remove that backdoor, but there is no telling what other areas of your system may be compromised beyond repair.

I'd start here:
Determine Your System's Status

If the rpm verification for libkeyutils fails or the symlink goes to a file that does not belong to an RPM, your system is indeed owned (rooted) and you should reinstall your OS.

marsm · Dec 2, 2013

Thanks for the insights and advice guys - I'm probably going to do a reinstall shortly; how do I protect myself so that this doesn't happen again?

cPanelMichael · Dec 2, 2013

Hello

A good place to start for general security recommendations is the cPanel Security Advisor. It's documented at:

cPanel - Security Advisor

Thank you.

quizknows · Dec 2, 2013

Security advisor is a good place to start.

Root compromises usually result from either out-dated kernel versions allowing a web app hack to escalate priveleges, or a compromise of the root password.

The first is easy to defend against; when a new kenel comes out, install it and reboot to make it active.

The second you can help with by doing things like disallowing direct root ssh login, and firewalling your WHM port off to only trusted IP addresses.

Thread starter	Similar threads	Forum	Replies	Date
M	ImunifyAV Malware Notifications	Security	3	Mar 28, 2023
I	A malware has been detected - Action Required (false positive)	Security	8	Feb 20, 2023
E	Question about email "A malware has been detected - Action Required"	Security	36	Oct 19, 2022
H	Cpanel hosting malware scanning not detecting trojan	Security	3	Jul 22, 2022
F	Imunify AV malware scanner	Security	17	Jan 28, 2022

Search

Search

Malware

marsm

Member

quizknows

Well-Known Member

marsm

Member

cPanelMichael

Administrator

quizknows

Well-Known Member