Hey, @Mike19!
Now that my head is a bit clearer (I was preparing a video for our channel, and then got introduced to a toothache as I was about to do my rounds here) I can address your questions.
Yes, when you install a new SSL certificate, the old one is overwritten.
For your CyberPanel’s Admin password, SSH to your VPS and elevate your privileges as root, via:
sudo su
Then execute:
adminPass <newpassword>
And use your desired password in the field (without the < >)
Per Thunderbird, that’s the client application that I installed on my local system. From there on, I went to the CyberPanel to check on the credentials I needed to input in the Thunderbird’s fields. There are two ways to install Thunderbird on your system. One is via the Software Center, and the other is via terminal, by using the command (if it’s not already installed):
sudo apt install thunderbird
For Ubuntu/Debian/Mint/Zorin, etc. - If you’re using Arch/Manjaro or an equivallent, the command is:
sudo pacman -S thunderbird
To your P.S., you don’t need thunderbird on your server. That’s a graphic user interface application, and your server is text-based.
So, it’s safe to uninstall it from your server, via:
Thanks Vasileios, I got your changes done. Sorry to hear about your toothache. Those can be really annoying. I use food-grade hydrogen peroxide to swish around in my mouth, but don’t swallow. That seems to take away the pain temporarily until you can get an appointment with a dentist.
I visited dnschecker.org and found that my domain name is registered properly as well as my email. I don’t understand why I’m still getting a warning that my site is not safe when I enter <talon65.online> but no warning when I enter talon65.online:8090. I guess I’m missing something here. Also my cyberpanel shows my cpu usage running at 100%. That’s seem kind of high since I’m not really doing anything on the site.
Thanks again…
PS: Success!!! I got through page 27 of your server tutorial without too many more bruises. I’m now up and running with email and ftp. I scored a 6.1 on my checkout with no errors and 10 warnings. Lot’s of questions about some of those warnings, but I think I’ll take a breather for a few days and go back to my laptop and work on putting windows in a virtual box.
Thanks again.
You’re most welcome, @Mike19!
And thank you for your tips!
Per your 100% CPU usage, can you please screenshot the graph of your VPS’ CPU usage for the last 24 or so hours? The reason I’m asking is that bots try to probe virtual private servers. This can shoot the CPU up via spikes. If that’s the case, we can set up steps to secure your server even more.
However, if your CPU shows to be flat 100% constantly, then we might need to get a bit more aggressive with security.
Great work!
Also, when you get the opportunity, please take a screenshot of the mail-tester and post it here (you can drag and drop the picture in the response window) so that we can see how the score can go up.
Ouch. @Mike19, have you hardened your security on the SSH configuration by not allowing Root or Password Login?
Because from what I’m looking, it appears that your VPS was hacked and someone installed Crypto Miner software on it.
Vasileios, Sorry for the delay getting back to you. Coincidentally, I lost my Viasat Modem right after I received your reply. It was fried, and the technician just got out to replace it today. Maybe I’m a little paranoid, but I was wondering if the people that are using my remote server could somehow have worked their way back to my modem and destroyed it? That’s really weird!!! I had hardened the server by setting “No” on the password login and the root login. I’ll go and check it out now and let you know if somehow it got changed back. Thanks for the feedback.
PS: root login was permitted, I set it to “no” twice since it actually appears twice. Password login and PAM were already set to “no” as they should have been. Once I set them, I saved and exited and then went back in to make sure it took this time. Looks good now. We’ll see if my cpu usage drops to normal now. Is there anything else I need to do to get the malware out of my server, or would you suggest just trashing it and starting over? Either way, it is after all a learning exercise… I don’t have anything stored on there as of yet.
Hey @Mike19!
Apologies for my delay as well. I’ve been in the “cave” working on the 3-video part of the next upcoming LMS. The size of it is literally 3 courses in one, so it claims a lot of my time.
I don’t think anyone can remotely fry a router, other than a power fluctuation. Those little devices run an operating system of their own, with a CPU and RAM. When there are many devices in a place, they can get overloaded and a power fluctuation can cause significant harm. The other day I had to go into the deep settings of my Synology NAS, because we had a power outage a while back and I noticed the drives wouldn’t stop. I received the warning that the drives had write-cache on by default (which I don’t recommend) and the power outage caused an issue. So, I had to initiate a file scrub and disable the cache feature.
There are two ways to deal with it. One would be to find which application it is via HTOP, which you can install it via:
sudo apt install htop
And then run it, by executing ‘htop’ and see which file takes over the CPU. Then you can purge it. However, as far as I am aware, the hackers also mess up with the SSH configurations to know that they can get back on your VPS. Unless you have done significant work on your VPS, I would recommend you restart it and make sure you also change the PORT number of your SSH. I laid down the instructions to do that in our latest Workshop (27), and have the written instructions for it.
Please let me know which course you’d be more comfortable following.
Thanks Vasileous,
This is what I get when I run htop. Only 2 processes are running; htop and bash. So I don’t understand what is causing the 100% CPU, unless there is a silent hacker lurking in the background.
You were right, there was a lot more. I didn’t do it as super user before. I killed the top three and more kept taking its place, keeping the cpu at 100%. I guess I’m either going to learn how to thwart these attacks or just blow it up and start over. What say you?
Thanks again.
If you get any errors (especially the uninstall), ignore it completely.
Then run:
firewall-cmd --list-all
And send me the list of open ports. Have the following command ready to block any port that does not match the following ones that CyberPanel installed.
The CyberPanel ports are:
TCP: 8090 for CyberPanel
TCP: 80, TCP: 443 and UDP: 443 for webserver
TCP: 21 and TCP: 40110-40210 for FTP
TCP: 25, TCP: 587, TCP: 465, TCP: 110, TCP: 143 and TCP: 993 for mail service
TCP: 53 and UDP: 53 for DNS service
In short, if you see any additional ports other than 21, 25, 53, 80, 110, 143, 443, 465, 587, 8090 AND your SSH port (normally 22, unless you changed it), execute the following commands:
Also, when you get into CyberPanel, check the FTP area for any accounts you don’t recognize. If you find one, delete it and immediately change your CyberPanel password to something… extravagant!
I see PID 365735 is still active at 99.3% of my cpu. I did change my cyberpanel to something “exotic.” Looks like 407864 is also running and alternating with the 365735 about every three seconds. I killed it and it was replaced by 408064. This may be a tougher nut to crack…
Yup. He made himself an FTP account too to get files in and out.
I’d recommend you look into CyberPanel and eliminate the GhostRider user, or any other user for that matter.
Also, two more questions:
Were you able to change your SSH port?
Were you successful in executing the command rm -Rf /root/* as root?
I can address your questions. 
