Author Topic: *** SECURITY information for domain.ch ***  (Read 1639 times)

spicer

  • Jr. Member
  • **
  • Posts: 71
    • View Profile
    • ltspiceusers.ch
*** SECURITY information for domain.ch ***
« on: November 16, 2020, 05:26:27 am »
For about 2 weeks I have been receiving this email at root@domain.ch:

*** SECURITY information for domain.ch ***

domain.ch : Nov 16 11:31:01 : ftp : user NOT in sudoers ; TTY=unknown ; PWD=/srv/ftp ; USER=root ; COMMAND=/sbin/sysctl kernel.nmi_watchdog=0

The notification comes in intervals between 1 to 60 minutes.

Is that an ehcp force problem?
I haven't made any updates since then.

My OS is Debian 10, php7.3, Xenforo 2.1

A colleague has exactly the same thing.

Edit:
I found the mining virus and remove with this tutorial.
I hope is not a vulnerability in EHCP force......
« Last Edit: November 16, 2020, 12:38:22 pm by spicer »
Translator for german EHCPforce

spicer

  • Jr. Member
  • **
  • Posts: 71
    • View Profile
    • ltspiceusers.ch
Re: *** SECURITY information for domain.ch ***
« Reply #1 on: November 17, 2020, 08:31:05 am »
Does everyone know, how to delet this mining malware and where this is incoming?
Over LXC container?
Translator for german EHCPforce

earnolmartin

  • Administrator
  • Sr. Member
  • *****
  • Posts: 302
    • View Profile
Re: *** SECURITY information for domain.ch ***
« Reply #2 on: November 24, 2020, 04:42:22 pm »
Hi Spicer,

The update made on November 14th should patch this vulnerability.  I too unfortunately suffered through it.  It was caused by vulnerabilities in the open configuration of php-fpm which has since been hardened.

Here is a script I put together that I used to remove the Miner:

Code: [Select]
sudo -i
killall -9 kdevtmpfsi
killall -9 kinsing
rm -rf /var/tmp/kinsing
rm -rf /var/tmp/.ICEd-unix
rm -rf /var/tmp/.ICE-unix
rm -rf /tmp/kdevtmpfsi
rm -rf /tmp/.ICEd-unix
rm -rf /tmp/.ICE-unix
rm -rf /tmp/kinsing
rm -rf /tmp/libsystem.so
rm -rf /var/spool/cron/crontabs/ftp
rm -rf /var/spool/cron/crontabs/vsftpd

I would update EHCP Force to the latest version, and then I would run the above commands at the root user.

earnolmartin

  • Administrator
  • Sr. Member
  • *****
  • Posts: 302
    • View Profile
Re: *** SECURITY information for domain.ch ***
« Reply #3 on: November 24, 2020, 06:29:11 pm »
Just update to the latest EHCP Force Edition following the instructions on https://ehcpforce.tk/download.php#ehcpforceupdate

It should fix it for you.