0

My dedicated Centos 6 server was mining. I scanned the system with clamscan. ClamAV and here is the log:- I have already gone through How do I deal with a compromised server?

The server is not physically available, so how can I disconnect from the internet?

I suspect /bin/mig is the infected file. Can I remove that as it does not belong to any package?

/bin/mig: Unix.Malware.Agent-6743195-0 FOUND /home/XXXX/mail/XXXX.com/info/new/1539098255.M12312312.sXXXX-XX-XX-XX.erver.net,S=22802,W=23120: Heuristics.Phishing.Email.SpoofedDomain FOUND WARNING: Can't open file /sys/devices/virtual/tty/tty/ve_device_add: Permission denied WARNING: Can't open file /sys/devices/virtual/tty/console/ve_device_add: Permission denied WARNING: Can't open file /sys/devices/virtual/tty/ptmx/ve_device_add: Permission denied WARNING: Can't open file /sys/devices/virtual/tty/tty0/ve_device_add: Permission denied WARNING: Can't open file /sys/devices/virtual/tty/tty1/ve_device_add: Permission denied WARNING: Can't open file /sys/devices/virtual/mem/full/ve_device_add: Permission denied WARNING: Can't open file /sys/devices/virtual/mem/random/ve_device_add: Permission denied WARNING: Can't open file /sys/devices/virtual/mem/urandom/ve_device_add: Permission denied WARNING: Can't open file /sys/devices/virtual/misc/tun/ve_device_add: Permission denied WARNING: Can't open file /sys/devices/virtual/block/ploop11014/ploop11014p1/ve_device_add: Permission denied /usr/local/cpanel/cpaddons/cPanel/Blogs/WordPress/upgrade/2.7.1_2.8/diff: Html.Exploit.CVE_2014_1804-1 FOUND

developeronsandbox
  • 1
  • 1

1 Answers1

0

Sorry to tell you this - the TL;DR is you need to get someone to rebuild your server from scratch.

With respect of disconnecting the server - The advice you found is generic, and may not be applicable.That said, it is a best practice. I guess in theory you should ask whoever set it up to take it offline. Assuming this is correct, and you have a static IP address, you can isolate your computer with iptables. Note this is risky and could lock you out if your IP address changes or I've gotten something wrong - so make sure it can be rebooted. (Maybe schedule a cron job?)

The following line should, in theory, limit access to just your IP. It needs to be done in 1 line because it first blocks everything regardless of current rules and your IP and then allows data to and from your IP. To be clear, YOUR.IP is the IP you are wanting to connect to the server from. -

  /sbin/iptables -I INPUT -j DROP; /sbin/iptables -I INPUT -s YOUR.IP -j ACCEPT; /sbin/iptables -d YOUR.IP -j ACCEPT

The thing is though, removing the infected file won't fix the problem. There was a mechanism at play to both upload that file and make it run. You need to find out how this happened and prevent the reoccurance.

Worse then that, your system is untrustable - to have any degree if certainty its clean you have to wipe it and fully reinstall. Note /bin/mig - this file should not have required root access to install at that location. This means the attacker has root access. It means they could completely cover their tracks and install additional backdoors that it is practically impossible to detect. The smart money says they will have done so - as the hard part is getting root access.

davidgo
  • 6,222
  • 3
  • 23
  • 41
  • Thank you @davidgo. How about restoring the system to a certain point? Will that work? I hope this will not affect the website data. – developeronsandbox Nov 04 '19 at 08:00
  • Restoring a system to a certain point will only work to a point. The roll-back needs to predate the compromise, but more difficult you then need to remove the mechanisms used in the compromise - and it sounds like you don't know what these are! – davidgo Nov 04 '19 at 08:13
  • Looking at your log again, I'm guessing that your cpanel is compromised - look at the last line of your log. At a minimum you will want a clean reinstall of cpanel, or disable it completely in the new setup. – davidgo Nov 04 '19 at 08:19
  • Okay.Yeah, I am new to this issue. Ok I will check the log now. – developeronsandbox Nov 04 '19 at 08:21
  • @davido, I contacted the hosting provider. They said they provide an option to backup websites, rebuild server and restore the backups. I scanned the websites, took backups. No threat found in the code. I hope that will help. Thanks. – developeronsandbox Nov 04 '19 at 09:23
  • @davido, I am planning to do that on the weekend. Can you suggest if I can remove /bin/mig as rpm -qf gives "This file is not associated to any package"? . As I told you it was marked as infected by clamAV and I also downloaded that and scanned with Avast, that also marked that as threat. I just don't want to break anything over the weekend. Thanks!! – developeronsandbox Nov 04 '19 at 10:52
  • mig is not required by the OS and is most likely a trojan. Removing it won't damage your OS but won't fix the underlying problem. Whether you remove it or not depends on what you plan to do next. I would chmod it to 400 (readable only, and only by owner) and then back it up offsite and delete it. It may contain clues as to how you were hacked. Problem is you are not addressing the cause of the problem so you will likely be reinfected. – davidgo Nov 04 '19 at 20:24
  • Okay.Thank you for your valuable suggestions. The best thing, you also suggested, is to rebuild the system and I will do it. – developeronsandbox Nov 05 '19 at 10:12