• GoDaddy Community
  • VPS & Dedicated Servers
  • VPS & Dedicated Servers

    cancel
    Showing results for 
    Show  only  | Search instead for 
    Did you mean: 

    My VPS server is root compromised

    Hello,

     

    I have VPS based on Linux and this server is compromised at the root level by malware known as ShellBot. This malware is known to cause errors when running the "crontab" command but can potentially cause many other problems including not being able to start certain services.

    The presence of the following file is an indication of this malware.

    ==============================
    [root@s148-72-213-141 ~]# stat /lib/libgrubd.so
      File: ‘/lib/libgrubd.so’
      Size: 23296            Blocks: 48         IO Block: 4096   regular file
    Device: fd01h/64769d    Inode: 349968      Links: 1
    Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (   12/    mail)
    Access: 2019-08-18 12:48:55.925657998 -0700
    Modify: 2019-06-19 12:35:35.458000000 -0700
    Change: 2019-06-19 12:35:35.459000000 -0700
     Birth: -

    [root@s148-72-213-141 ~]# lsof /usr/lib/libgrubd.so
    COMMAND     PID            USER  FD   TYPE DEVICE SIZE/OFF   NODE NAME
    systemd       1            root mem    REG  253,1    23296 349968 /usr/lib/libgrubd.so
    systemd-j  1336            root mem    REG  253,1    23296 349968 /usr/lib/libgrubd.so
    systemd-u  1360            root mem    REG  253,1    23296 349968 /usr/lib/libgrubd.so
    auditd     1392            root mem    REG  253,1    23296 349968 /usr/lib/libgrubd.so
    polkitd    2554         polkitd mem    REG  253,1    23296 349968 /usr/lib/libgrubd.so
    dbus-daem  2555            dbus mem    REG  253,1    23296 349968 /usr/lib/libgrubd.so
    rpcbind    2564             rpc mem    REG  253,1    23296 349968 /usr/lib/libgrubd.so
    smartd     2572            root mem    REG  253,1    23296 349968 /usr/lib/libgrubd.so
    irqbalanc  2573            root mem    REG  253,1    23296 349968 /usr/lib/libgrubd.so
    pure-auth  2581            root mem    REG  253,1    23296 349968 /usr/lib/libgrubd.so
    ....
    ....
    ==============================
    I think this probably occurred as a result of the recent Exim vulnerability CVE-2019-10149, since the GID on the file is 'mail'.

    The reason this server was exploited is because cPanel updates were disabled by setting the version to 11.68.0.36 in the cpupdate.conf file:

    =====================
    [root@s148-72-213-141 ~]# grep CPANEL /etc/cpupdate.conf
    CPANEL=11.68.0.36
    =====================

    The only actions that can be considered to reasonably address a root compromised server are to either perform a fresh Operating System and WHM/cPanel installation and restore account backups or to migrate the accounts to a known clean server that hasn't been previously root compromised.

     

    Now what should I do???

    2 REPLIES 2
    Super User III
    Super User III

    Re: My VPS server is root compromised

    @smrizwans 

     

    Contacting phone support in this instance is probably your best option. As to be transferred to the Hosting Department and they should be able to give you some options. 



    I am a GoDaddy End User - Just Like You
    * Please note that I offer free advice on this forum. I DO NOT answer private messages. Please ask your question in the proper forum so the answer can assist EVERYONE in the community and not just you. Thanks! *

    Once your issue is resolved,
    please be sure to come back and click accept for the solution

    Get Better Support on the Community Boards!
    Etiquette When Asking for Help from the Community


    Re: My VPS server is root compromised

    Hey Thanks man but unfortunately they won't help, I have received different responses from there end like they don't have specialist staff and now that I am not using managed services so I have to change my package for assistance.

     

    See following is the evidence of the malware:

    =================================
    [root@s148-72-213-141 ~]# sha256sum /lib/libgrubd.so
    81566c65e311874709790e212921c7402f4239f7989608d966044e8477934c88 /lib/libgrubd.so

    3rd party verification: https://www.virustotal.com/gui/file/81566c65e311874709790e212921c7402f4239f7989608d966044e8477934c88... 

     

    I think Im on my own, it wasn't a wise decision to shift to Godaddy indeed!