Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
1
Information / Re: Ebury trojan on all of my CWP servers
« on: March 23, 2023, 09:44:42 PM »check the server by the instructions just to be sure...but this looks like a false alert.
https://srvfail.com/check-clean-ebury-ssh-rootkit/
yes, I've checked with tests in that link, and it seems that my server is not infected
2
Information / Re: Ebury trojan on all of my CWP servers
« on: March 23, 2023, 09:09:48 PM »
Here is some more info for Ebury 2
https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/
https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/
3
Information / Re: Ebury trojan on all of my CWP servers
« on: March 23, 2023, 08:35:20 PM »I don't have that file
Are you on Centos 8 or Almalinux? If so the file won't be there, it's only there on Centos 7. My Centos 8 and Almalinux servers were exploited also on the 19th with the same notice of ebury from my host, still trying to figure out exactly how. My server admin believes it's just a vulnerability in CWP and we have to wait for a fix. Once again maybe the update on the 20th patched something? Who knows.
I'm on CentOS 7.9.2009
4
Information / Re: Ebury trojan on all of my CWP servers
« on: March 23, 2023, 08:34:30 PM »
But regarding ssh -G:
From:
https://stackoverflow.com/questions/22526214/ssh-g-21-grep-e-illegal-e-unknown-dev-null-echo-system-clean
I am in Croatia, and have local hosting provider
Code: [Select]
It should be noted that people using an OpenSSH version released after October 2014 will get a false positive with the ESET test, since there is now a legitimate -G switch in the SSH binary. See e.g. the SSH man page on OpenBSD.org or the Github mirror of the actual commit adding this switch. –
Daniel Andersson
Feb 14, 2016 at 19:42 From:
https://stackoverflow.com/questions/22526214/ssh-g-21-grep-e-illegal-e-unknown-dev-null-echo-system-clean
I am in Croatia, and have local hosting provider
5
Information / Re: Ebury trojan on all of my CWP servers
« on: March 23, 2023, 08:26:38 PM »thank you
but, can you please tell me which way I can be 100% sure that malware exists?
I'm asking this because many tess found on internet shows that my system is not infected.
Your test only shows that it is. And if I run it on other server (which is not connected to my original in any way), there too it shows positive
Check if you have /usr/lib64/libkeystats.so file in your system. If you do you're infected. I would say it's safe to bet that the majority of CWP users are infected and don't know it.
As top20 said most likely the vulnerability with CWP is still open so cleaning out the server, re-installing the OS and then putting back CWP will probably just end up with the same issue until it's patched.
I don't have that file
6
Information / Re: Ebury trojan on all of my CWP servers
« on: March 23, 2023, 08:16:57 PM »Maybe. The first thing you can do is change the SSH port and restrict access to SSH login for all users on the system to trusted IP addresses. Change the passwords for absolutely all users. This does not solve the problem since CWP is compromised and requests can be executed as root from there, but somehow it ensures that the server is not used for botnets - DDoS, email spam, etc. As I said, the infection through CWP was long ago. Personally, I think one of my servers was infected minutes before 03.09.2021, 03:46:34, because the logs before that are missing, and it has been online since 2020. I also restored backups and the infection existed 2-3 years ago. Even if the server is cleaned, as long as the vulnerability in CWP exists, it is still under threat. Personally, I will wait for the CWP bug to be fixed and then reinstall the server with the new CWP panel.thank you
but, can you please tell me which way I can be 100% sure that malware exists?
I'm asking this because many tess found on internet shows that my system is not infected.
Your test only shows that it is. And if I run it on other server (which is not connected to my original in any way), there too it shows positive
7
Information / Re: Ebury trojan on all of my CWP servers
« on: March 23, 2023, 07:03:04 PM »
so only way to get rid it is clean os install?
8
Information / Re: Ebury trojan on all of my CWP servers
« on: March 23, 2023, 06:34:42 PM »
Ok, I'am infected too...
I am scaning now with clam, will clam clean it?
Thx!
I am scaning now with clam, will clam clean it?
Thx!
9
Other / Re: How to protect my files against download
« on: February 12, 2023, 06:30:55 PM »
content on web is open to all, so there is no way to prevent downloading that kind of stuff
you can add some scripts, for example to disable right click or something like that, but anyone with simple knowledge od console can download anything from your website
you can add some scripts, for example to disable right click or something like that, but anyone with simple knowledge od console can download anything from your website
10
Information / Re: 0.9.8.1147 released ? what is the changelog ?
« on: October 25, 2022, 11:02:25 AM »
thx for an update 
PS. do you have any timeline for bigger updates (spamassasin config, themes/templates) - those features are listed on CWP website as coming soon?
Thank you
PS. do you have any timeline for bigger updates (spamassasin config, themes/templates) - those features are listed on CWP website as coming soon?
Thank you
11
Information / Re: 0.9.8.1147 released ? what is the changelog ?
« on: October 25, 2022, 09:00:46 AM »
Not yet 
I would like to wait for changelog before update
I would like to wait for changelog before update
12
Postfix / Re: how to stop spam
« on: April 13, 2022, 06:48:36 AM »
Will CWP have some updates regarding mail spam?
Some configuration tools are really missing from CWP (spamassassin level filtering, !greylisting!, email/domain blocking, sent/received mail log, etc)
Some configuration tools are really missing from CWP (spamassassin level filtering, !greylisting!, email/domain blocking, sent/received mail log, etc)
13
Postfix / Re: Spam Filtering by Subject Line
« on: March 07, 2022, 10:03:36 AM »I don't think spammers cares about the Reject status, because most of the times it's bots. Same for the greylisting. Most of them won't try again after a 4.x.x response.Hi,
So, greylisting (a bit aggressive for my taste) + spamassassin + spamhaus/blacklist checks = The best spam protection without false positives.
You can't have 100% spam protection without false positives.
does CWP have greylisting?
Is it possible to activate it?
I think that this should solve many of spam problems, I am currently facing.
Thx
14
E-Mail / Re: how to know the spam source
« on: January 17, 2022, 06:49:19 AM »
Hi,
and where is phpmail.log located if I'm using apache + nginx.
In that case papmail.log located in /usr/local/apache/logs/phpmail.log is empty.
Thank you
and where is phpmail.log located if I'm using apache + nginx.
In that case papmail.log located in /usr/local/apache/logs/phpmail.log is empty.
Thank you
15
E-Mail / Re: Fake users sending spam
« on: January 11, 2022, 09:12:44 PM »
I've had similar problem, a few weeks ago...
CWP team should investigate this, as this kind of spam can really make server IP address reputation bad...
CWP team should investigate this, as this kind of spam can really make server IP address reputation bad...
