Author Topic: *** SECURITY information for domain.ch ***  (Read 1143 times)

spicer

  • Newbie
  • *
  • Posts: 45
    • View Profile
    • ltspiceusers.ch
*** SECURITY information for domain.ch ***
« on: November 16, 2020, 05:26:27 am »
For about 2 weeks I have been receiving this email at root@domain.ch:

*** SECURITY information for domain.ch ***

domain.ch : Nov 16 11:31:01 : ftp : user NOT in sudoers ; TTY=unknown ; PWD=/srv/ftp ; USER=root ; COMMAND=/sbin/sysctl kernel.nmi_watchdog=0

The notification comes in intervals between 1 to 60 minutes.

Is that an ehcp force problem?
I haven't made any updates since then.

My OS is Debian 10, php7.3, Xenforo 2.1

A colleague has exactly the same thing.

Edit:
I found the mining virus and remove with this tutorial.
I hope is not a vulnerability in EHCP force......
« Last Edit: November 16, 2020, 12:38:22 pm by spicer »
Wenn es mehrere Möglichkeiten gibt, eine Aufgabe zu erledigen, und eine davon in einer Katastrophe endet oder sonstwie unerwünschte Konsequenzen nach sich zieht, dann wird es jemand genau so machen. Alles, was schiefgehen kann, wird auch schiefgehen.
(Murphys Gesetz)

spicer

  • Newbie
  • *
  • Posts: 45
    • View Profile
    • ltspiceusers.ch
Re: *** SECURITY information for domain.ch ***
« Reply #1 on: November 17, 2020, 08:31:05 am »
Does everyone know, how to delet this mining malware and where this is incoming?
Over LXC container?
Wenn es mehrere Möglichkeiten gibt, eine Aufgabe zu erledigen, und eine davon in einer Katastrophe endet oder sonstwie unerwünschte Konsequenzen nach sich zieht, dann wird es jemand genau so machen. Alles, was schiefgehen kann, wird auch schiefgehen.
(Murphys Gesetz)

earnolmartin

  • Administrator
  • Sr. Member
  • *****
  • Posts: 272
    • View Profile
Re: *** SECURITY information for domain.ch ***
« Reply #2 on: November 24, 2020, 04:42:22 pm »
Hi Spicer,

The update made on November 14th should patch this vulnerability.  I too unfortunately suffered through it.  It was caused by vulnerabilities in the open configuration of php-fpm which has since been hardened.

Here is a script I put together that I used to remove the Miner:

Code: [Select]
sudo -i
killall -9 kdevtmpfsi
killall -9 kinsing
rm -rf /var/tmp/kinsing
rm -rf /var/tmp/.ICEd-unix
rm -rf /var/tmp/.ICE-unix
rm -rf /tmp/kdevtmpfsi
rm -rf /tmp/.ICEd-unix
rm -rf /tmp/.ICE-unix
rm -rf /tmp/kinsing
rm -rf /tmp/libsystem.so
rm -rf /var/spool/cron/crontabs/ftp
rm -rf /var/spool/cron/crontabs/vsftpd

I would update EHCP Force to the latest version, and then I would run the above commands at the root user.

earnolmartin

  • Administrator
  • Sr. Member
  • *****
  • Posts: 272
    • View Profile
Re: *** SECURITY information for domain.ch ***
« Reply #3 on: November 24, 2020, 06:29:11 pm »
Just update to the latest EHCP Force Edition following the instructions on https://ehcpforce.tk/download.php#ehcpforceupdate

It should fix it for you.