Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Information / Re: Ebury trojan on all of my CWP servers
« on: March 23, 2023, 08:32:33 PM »Maybe. The first thing you can do is change the SSH port and restrict access to SSH login for all users on the system to trusted IP addresses. Change the passwords for absolutely all users. This does not solve the problem since CWP is compromised and requests can be executed as root from there, but somehow it ensures that the server is not used for botnets - DDoS, email spam, etc. As I said, the infection through CWP was long ago. Personally, I think one of my servers was infected minutes before 03.09.2021, 03:46:34, because the logs before that are missing, and it has been online since 2020. I also restored backups and the infection existed 2-3 years ago. Even if the server is cleaned, as long as the vulnerability in CWP exists, it is still under threat. Personally, I will wait for the CWP bug to be fixed and then reinstall the server with the new CWP panel.thank you
but, can you please tell me which way I can be 100% sure that malware exists?
I'm asking this because many tess found on internet shows that my system is not infected.
Your test only shows that it is. And if I run it on other server (which is not connected to my original in any way), there too it shows positive
If my instructions indicate that you are infected, it is 99.99% certain, especially if both tests are positive. There has clearly been a mass infection through CWP. Which hosting provider are you using?
2
Information / Re: Ebury trojan on all of my CWP servers
« on: March 23, 2023, 08:02:24 PM »
By the way, which hosting provider do you use? My servers are with hetzner.com.
3
Information / Re: Ebury trojan on all of my CWP servers
« on: March 23, 2023, 07:38:37 PM »
Maybe. The first thing you can do is change the SSH port and restrict access to SSH login for all users on the system to trusted IP addresses. Change the passwords for absolutely all users. This does not solve the problem since CWP is compromised and requests can be executed as root from there, but somehow it ensures that the server is not used for botnets - DDoS, email spam, etc. As I said, the infection through CWP was long ago. Personally, I think one of my servers was infected minutes before 03.09.2021, 03:46:34, because the logs before that are missing, and it has been online since 2020. I also restored backups and the infection existed 2-3 years ago. Even if the server is cleaned, as long as the vulnerability in CWP exists, it is still under threat. Personally, I will wait for the CWP bug to be fixed and then reinstall the server with the new CWP panel.
4
Information / Re: Ebury trojan on all of my CWP servers
« on: March 23, 2023, 07:01:35 PM »
Once the system is compromised, it is unknown which backdoors are open.
5
Information / Re: Ebury trojan on all of my CWP servers
« on: March 23, 2023, 02:29:49 PM »
The same thing happened to me. 2 servers with CentOS 7 and CWP 7 were infected. I did a quick analysis and it turned out that the infection happened more than 11 months ago for sure. Another thing I found out is that the server was not infected 3 years ago. I learned this from the backups I have for these 2 servers. So, the infection did not happen on March 17-20... Keep this in mind.
6
CentOS-WebPanel Bugs / Every morning all vhosts lose their settings
« on: November 05, 2021, 09:02:34 AM »
Hello,
after last update, every morning all vhosts lose their settings.
All sites response with blank page - Index of/ or 404.
To solve this, i rebuild every morning WebServers conf for domain from - WebServer settings -> WebServers Domain Conf -> Select username -> View / Edit configuration -> Save changes
After this sites going up and work.
Application version:
Apache version: Apache/2.4.34
PHP version: 7.2.31
MySQL version: 10.0.25-MariaDB
FTP version: 1.0.36
Web Servers: nginx-varnish-apache
System Info:
CPU Model: QEMU Virtual CPU version (cpu64-rhel6)
CPU Details: 6 Core (2400 MHz)
Distro Name: CentOS release 6.7 (Final)
Kernel Version: 2.6.32-573.26.1.el6.x86_64
Platform: x86_64 kvm
CWPpro version: 0.9.8.899
after last update, every morning all vhosts lose their settings.
All sites response with blank page - Index of/ or 404.
To solve this, i rebuild every morning WebServers conf for domain from - WebServer settings -> WebServers Domain Conf -> Select username -> View / Edit configuration -> Save changes
After this sites going up and work.
Application version:
Apache version: Apache/2.4.34
PHP version: 7.2.31
MySQL version: 10.0.25-MariaDB
FTP version: 1.0.36
Web Servers: nginx-varnish-apache
System Info:
CPU Model: QEMU Virtual CPU version (cpu64-rhel6)
CPU Details: 6 Core (2400 MHz)
Distro Name: CentOS release 6.7 (Final)
Kernel Version: 2.6.32-573.26.1.el6.x86_64
Platform: x86_64 kvm
CWPpro version: 0.9.8.899
Pages: [1]
