Control Web Panel

WebPanel => CentOS-WebPanel Bugs => Topic started by: mouchoon on October 06, 2018, 07:33:38 AM

Title: coin hive attack on my server ... how?
Post by: mouchoon on October 06, 2018, 07:33:38 AM

hello

my server with CentOS 6.9, CWP version: 0.9.8.573
few days infected with virus : coinhive and in all my websites in this server get:

Threat found
This web page contains potentially dangerous content.
Threat: JS/CoinMiner.AH potentially unwanted application

how to clean this from my cwp?
How it happened and firewall has not worked?

Title: Re: coin hive attack on my server ... how?
Post by: Netino on October 07, 2018, 08:13:45 PM

You *must* have to check your *entire* server, with a clean boot.

If you don't have phisical access to the server, you must ask to it who have.

After that, try to install Maldet, with script:
/scripts/install_maldet

Check if you have some antivirus installed too.

Normally, if you have some malware in your server, discovered by accessing some page, you must check that page individually, and restore the original page or program.

Title: Re: coin hive attack on my server ... how?
Post by: bullten on October 08, 2018, 04:14:28 AM

Do remember CentOS kernels are not symlink patched. If one site gets hacked then all sites on your server may get compromised using symlink attack. Its better to use symlink patch for protection as multiple sites are hosted on your server.

Code: [Select]

https://www.cloudlinux.com/kernelcare-blog/entry/symlink-protection-patchset-centos-6-7-kernelcare