Author Topic: coin hive attack on my server ... how?  (Read 4962 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
coin hive attack on my server ... how?
« on: October 06, 2018, 07:33:38 AM »
hello

my server with CentOS 6.9, CWP version: 0.9.8.573
few days infected with virus : coinhive and in all my websites in this server get:

Threat found
This web page contains potentially dangerous content.
Threat: JS/CoinMiner.AH potentially unwanted application

how to clean this from my cwp?
How it happened and firewall has not worked?
« Last Edit: October 06, 2018, 07:54:35 AM by mouchoon »

Offline
***
Re: coin hive attack on my server ... how?
« Reply #1 on: October 07, 2018, 08:13:45 PM »
You *must* have to check your *entire* server, with a clean boot.

If you don't have phisical access to the server, you must ask to it who have.

After that, try to install Maldet, with script:
/scripts/install_maldet

Check if you have some antivirus installed too.

Normally, if you have some malware in your server, discovered by accessing some page, you must check that page individually, and restore the original page or program.

Offline
***
Re: coin hive attack on my server ... how?
« Reply #2 on: October 08, 2018, 04:14:28 AM »
Do remember CentOS kernels are not symlink patched. If one site gets hacked then all sites on your server may get compromised using symlink attack. Its better to use symlink patch for protection as multiple sites are hosted on your server.

Code: [Select]
https://www.cloudlinux.com/kernelcare-blog/entry/symlink-protection-patchset-centos-6-7-kernelcare