Malware found

Hello.
I found malware on my CWP pro installation in a VPS in local directory, in TMP directory, and in User directory after scanning it with malware scanner at security center. I removed them, but after few days that malware appear again and I get abuse notification from ISP few times and also they suspended and recovery my VPS.
How can I forever remove this malware because after removing them, they again appear and some devil person files (File names) appear on the files which were found malware.

I have all security protocol taken, even I have change the SSH port 2 times, how can the person access my VPS and install this malware, any idea, I have around 25 sites on that VPS and reinstallation and backup of all site will take huge time, I can also share logs if that can be helpful and I can solve the problem forever!

Sites are clean, but the server directories are effected, coz malware are found in their.
need help!

thank you.

The most usual vector is a web shell under a WordPress install. Have you verified that all your accounts are clean? I run Security Center scans periodically, and each instance of WP runs both WordFence and iThemes Security plugins. Also lock down your CSF firewall to only the ports you need, block certain countries, change your SSH port, do not allow r00t login via SSH (almost never needed). Have you scanned for FritzFrog and other SSH exploits?

Try checking with rkhunter (Rootkit Hunter):
https://medium.com/logistimo-engineering-blog/a-way-to-detect-the-rootkits-and-exploits-in-centos-rhel-5b125a8d6a25

5 cents from me

Enable mod_security for all websites hosted on your VPS/server and check the owner of the suspicious files. It will inform you which account the hacked website is hosted in.

Don't forget to update CWP to the latest stable version.

Bad sign if the suspicious files belong to "root".

My account on CWP with VPS server also have same issue. I restrict my SSH to specific IP address and removed all malicious code, and after next day when i check again malicious code and file were found on my server. Can someone help me with that?

I am removing those files from last 5 day and on every next day malicious code and file found on my server.

Are you running rkhunter to check for a root kit?

Also look for FritzFrog and Ebury:
https://srvfail.com/check-clean-ebury-ssh-rootkit/

Hi overseer,

Thank you for your replay.

Yes, i run rkhunter and found some issues but i am not sure how can i resolve those. I attached those in attachment please have a lot into that. I also check for Ebury infection and return of that netstat -plan | grep atd command is clearn no respond from that command.

Thanks in advance.

Attachment
https://we.tl/t-80WZ5JNRrb

Check the file:

Code: [Select]

/var/log/rkhunter/rkhunter.logto get more details about suspicious files.

However, the output provided by you looks good and I don't think your VPS/server is compromised.

Therefore I do believe you have the problem with your website because the site has some vulnerablity (outdated component/backdoor) and it is used to inject malicious code.

So scan your website using Wordfence (if the site is based on Wordpress), update all components including Wordpress itself.