VestaCP, the web management panel recommended by this site, has now been exposed to vulnerabilities. Here are the detection and removal methods.

All commands are run under SSH: 1. First determine whether it has been hacked.

find /etc -name gcc.sh -print

If /etc/cron.hourly/gcc.sh is displayed, it means that a Trojan horse has been planted.

2. If a Trojan is planted, back up all data

3. Block gcc.sh

chmod 0 /etc/cron.hourly/gcc.sh; chattr +ia /etc/cron.hourly/gcc.sh; chattr +i /etc/crontab

4. Look for Trojans. It has two versions: one is called update, and the second (update) is a randomly generated name (such as ahzihydns, rangqpbjp). a. Use lsof to find update Trojan

lsof -n |grep /tmp/update

update 31116 root txt REG 253,2 625611 146301 /tmp/update update 31116 31124 root txt REG 253,2 625611 146301 /tmp/update update 31116 31125 root txt REG 253,2 625611 146301 /tmp/update update 31116 31126 root txt REG 253,2 625611 146301 /tmp/update

Stop getting rid of people like Update who enter the city

kill -STOP 31116

Then delete them

rm /tmp/update

Finally kill them

kill -9 31116

If /etc/init.d/update exists, delete it. Finally, delete /lib/libudev.so

rm /lib/libudev.so

b. It is difficult to delete random Trojans. First check if there are any processes in usr/bin

# ls -lt /usr/bin | head -20 итого 171828 -rwxr-xr-x 1 root root 625622 апр 4 00:01 xmpwotmqnr -rwxr-xr-x 1 root admin 625633 апр 3 23:55 lluoohrpal [...]

For a process like this, let us try to stop and delete the process.

kill -STOP `lsof -n | egrep "625622|625633" | grep -v deleted| awk '{print $2}' | uniq`

View the list of files to be deleted:

# lsof -n | egrep "625622|625633" xmpwotmqn 1120 root txt REG 253,2 625622 1519267 /usr/bin/xmpwotmqnr xmpwotmqn 1120 1169 root txt REG 253,2 625622 1519267 /usr/bin/xmpwotmqnr xmpwotmqn 1120 1170 root txt REG 253,2 625622 1519267 /usr/bin/xmpwotmqnr xmpwotmqn 1120 1171 root txt REG 253,2 625622 1519267 /usr/bin/xmpwotmqnr

Delete /usr/bin/xmpwotmqnr, /usr/bin/lluoohrpal, and /lib/libudev.so. Stop the previous process first:

kill -9 `lsof -n | egrep "625622|625633" | awk '{print $2}' | uniq`

Check whether there is any malicious code left in /etc/init.d. For example:

-rwxr-xr-x 1 root admin 323 апр 3 23:55 xbzrqmaaqo -rwxr-xr-x 1 root admin 323 апр 3 23:55 xdphzejxlx -rwxr-xr-x 1 root admin 323 апр 3 23:55 xdzluubldx

If there are many such files, you can find them through find and delete them

find /etc/init.d/ -type f -size 323c -delete -rwxr-xr-x 1 root admin 323 апр 3 23:55 xgqggmacwf -rwxr-xr-x 1 root root 323 апр 8 13:50 xmpwotmqnr

5. Use clamav to check Centos installation clamav

yum install clamav

Debian/Ubuntu installation clamav

apt-get install clamav

Then, start scanning clamscan -r -i /

6. Finally, it is recommended to use the designated IP for login IP.

via: https://itldc.com/blog/vozmozhnaya-uyazvimost-v-vesta-i-sposob-lecheniya-ot-trojan-ddos_xor/

Recommended site search: cheap domain name, US server rental, US host rental, dynamic IP vps, Wanwang registered domain name, private server website space, high-defense IP rental, cloud server rental, host domain name, virtual host space,

p>