EHCP Force Support > Technical Help

*** SECURITY information for domain.ch ***

(1/1)

spicer:
For about 2 weeks I have been receiving this email at root@domain.ch:

*** SECURITY information for domain.ch ***

domain.ch : Nov 16 11:31:01 : ftp : user NOT in sudoers ; TTY=unknown ; PWD=/srv/ftp ; USER=root ; COMMAND=/sbin/sysctl kernel.nmi_watchdog=0

The notification comes in intervals between 1 to 60 minutes.

Is that an ehcp force problem?
I haven't made any updates since then.

My OS is Debian 10, php7.3, Xenforo 2.1

A colleague has exactly the same thing.

Edit:
I found the mining virus and remove with this tutorial.
I hope is not a vulnerability in EHCP force......

spicer:
Does everyone know, how to delet this mining malware and where this is incoming?
Over LXC container?

earnolmartin:
Hi Spicer,

The update made on November 14th should patch this vulnerability.  I too unfortunately suffered through it.  It was caused by vulnerabilities in the open configuration of php-fpm which has since been hardened.

Here is a script I put together that I used to remove the Miner:


--- Code: ---sudo -i
killall -9 kdevtmpfsi
killall -9 kinsing
rm -rf /var/tmp/kinsing
rm -rf /var/tmp/.ICEd-unix
rm -rf /var/tmp/.ICE-unix
rm -rf /tmp/kdevtmpfsi
rm -rf /tmp/.ICEd-unix
rm -rf /tmp/.ICE-unix
rm -rf /tmp/kinsing
rm -rf /tmp/libsystem.so
rm -rf /var/spool/cron/crontabs/ftp
rm -rf /var/spool/cron/crontabs/vsftpd

--- End code ---

I would update EHCP Force to the latest version, and then I would run the above commands at the root user.

earnolmartin:
Just update to the latest EHCP Force Edition following the instructions on https://ehcpforce.tk/download.php#ehcpforceupdate

It should fix it for you.

Navigation

[0] Message Index