Skip to main content

System compromised

Comments

7 comments

  • mtindor

    All I will say is that the email you got with the base64 stuff presumably added a user named "fix" with and set a specific password on it.   UID of the new user was 0 (root).

    Take that for what it is worth.  Sounds like it's time to build a new machine

    0
  • Kostas Arvanitidis

    /etc/passwd shows no other user than 'root' with root permissions. Also there is no 'fix' user with any permissions/group whatsoever.

    The same is for /etc/shadow, no encrypted password there for a user with that name.

    While the cron was running I kept receiving emails from the system that it was trying (unsuccessfully) to create a new user.

    Could it be 'hiding' in any other way?

    0
  • cPRex Jurassic Moderator

    There is no way to "fix" a compromised machine - you'll need to either migrate or restore content to a new server.

    0
  • Kostas Arvanitidis

    Noted! This is going to be my path now.. Is migrating the accounts safe? I'm planning to use WHM account transfer tool. Do you support it will also transfer 'bad' files?

    0
  • cPRex Jurassic Moderator

    Transfer Tool is also what we use to migrate compromised systems.  If the bad data is inside a user account, that would get migrated, but extra root users and whatnot is not something it would move.

    0
  • Kostas Arvanitidis

    Thanks to both of you. That was really insightful info! I've got some work to do now!

    2
  • Radeonpower

    In the future make sure your OS is up2date as well as cPanel/WHM.

    It would not be a bad thing either to use CloudLinux, CSF & Imunify360 well. Very good software even though it costs it will save you hours of work in the future having to deal with security issues. I use them all and I dont regret the money spent on it.

    0

Please sign in to leave a comment.