I'm using Ubuntu 20.04 for running CyberPanel on my webserver, on the last few days, a security flaw found in Cyberpanel led to attacks in thousands of Cyberpanel machines, and mine didn't escape that x. x
On mine they installed kinsing malware which was using all the CPU, so I found out about it and was trying to remove it, those were the major happenings after that:
- When trying to remove Kinsing, all files got suddenly encrypted by C3rb3r encryptor, so I rolled back to a backup from a day earlier
- I managed to remove kinsing, but something called zzxx64 was still running and reinstalling on the /var/ folder
- I removed that one as well, lots of random websites spawned up in the public_html folders, like public_html/library, public_html/gig, etc
- They had the audacity to even register those on Google Search console under random e-mails, that's how I noticed those, so I went into each public_html folder and deleted those as well
- They also added a sysdb.php and wp-inc.php file with virus in each public_html folder, I deleted those as well
- Changed root password a few times and then I was unable to log in with password for some reason
- Added an SSH key and disabled password auth for SSH
- Had problems with dovecot getting too many connections, so I had to change it into performance mode and also configured fail2ban to block the IPs trying to brute-force the SSH and the e-mails (doesn't seem to have worked for the e-mails though)
- Ran clamscan multiple times
- Ran rkhunter and chkrootkit
- It says I might have an LMK rootkit
So after I did everything I could think of to protect and save my server, a few issues still remain:
- Apt installing anything says there is problems with initramfs-tools with this message:
- I'm still having multiple IPs trying to log in into SSH in random ports and probably on e-mail as well, but I don't know how to verify or block for email, the ufw firewall and the VPS firewall doesn't seem to be blocking those attemptsCode:Setting up initramfs-tools (0.136ubuntu6.7) ... update-initramfs: deferring update (trigger activated) Processing triggers for initramfs-tools (0.136ubuntu6.7) ... update-initramfs: Generating /boot/initrd.img-5.4.0-198-generic E: /usr/share/initramfs-tools/hooks/fsck failed with return 1. update-initramfs: failed for /boot/initrd.img-5.4.0-198-generic with 1. dpkg: error processing package initramfs-tools (--configure): installed initramfs-tools package post-installation script subprocess returned error exit status 1 Errors were encountered while processing: initramfs-tools
- chkrootkit says there's 200 something hidden files and processes and that I could have a LMK rootkit, CPU goes all the way to 100% all the time, except when I try to see which process is using that much CPU with top or htop, then CPU drastically reduces (temp fix: have a screen with top running all the time)
CPU graphs (while running top):
I closed the screen that was running top command and it didn't come back to 100% cpu, but I'm sure there might be something avoiding detection...
Please help, I don't know what else can I do x. x
Bookmarks