Mining malware on customer's site

Fbarajas

• June 25, 2018 08:44

Hi! Someone is uploading a monero mining malware to one of my customers accounts: /home/USERNAME/.cagefs/var/cache/.xmr I delete or rename the .xmr directory, kill the running process,and it's uploaded again. Anything I can do? Of course, my customer says it's my fault or my server's fault. Thanks!

• 

  rpvw

  • June 25, 2018 13:51

  Is this account using any sort of CMS or php software ?

  0
• 

  cPanelLauren

  • June 25, 2018 19:34

  Hi @Fbarajas To build on what was suggested by @rpvw it is common that malware is introduced through a vulnerable CMS plugin/Theme/Extension etc. In this case it would appear that while you got rid of the symptom of the issue you did not remove the root cause. In order to ensure that the malware has been removed typically a full audit of files in the account is warranted, especially old plugins/themes/extensions which are out of date and/or unused. On top of that a lot of people opt to run scans like that provided by ClamAV: Configure ClamAV Scanner - Version 70 Documentation - cPanel Documentation Thanks!

  0

Please sign in to leave a comment.