HACKED Just after using aaPanel

aaP_ptakx

We got infected with Trojan:Linux/Multiverze. Everywhere files with aleatory names "QtnD8K" Into /www/wwwroot folders
We got Banned from OVH and accused of Phishing

Also an invisible file was created into our domain folder /index [.] html?iqbhbwgdvbefjnGVFXEreDCvygBYhbUni%7Cm%7CmIJnHUBGvTFCrEt*rdFTGVY

This virus is not casual and it appears just when we started using aapanel.

Also, OVH accused us to:

-pass the native CentOS security
-create a phishing website
-create DNS record for a sub-domain
-send phishing mail
-make DDoS attacks (catch by VAC engine)

Obviously we didn't make no one of this actions so... FUCK MEN !!!

aaPanel needs NOW an antivirus with active supervising.
I try Clamav but it's needed manual analysis. Any ideas about antivirus that can hace active file analizer?

JAY

what script are you using, wordpress or any other cms

aaP_ptakx

JAY Wordpress, but it was clean.

After performing an analysis with wordference I located the virus in many folders outside wordpress installation.
That means the attack had exceptional privileges even to broke Centos security and perform inside DDos attacks.

Wordpress virus normally attacks files, rights, databases... First time in my life I see such Hacking insertion into the system.

That's why I make in doubt aapanel security. And absolutelly need an antivirus that runs on the base system and supervise all user's/client's (aapanel user) actions. Even if a visitor access into wordpress and try to perform a direct DDos ttack or try to inject into PHP.

Which solution do you prupose? Is it possible to set Clamav as an active antivirus that supervise every action into the server? Or it is limited to manual periodic/scheduled analysis?

Thank you very much.

deewinc

This doesn't look like an aaPanel issue to be honest. This is a server side attack.

You can do a lot to protect your server from outside attacks.
~ Change SSH port
~ Disable SSH and use VNC
~ Use encryption keys to login
~ IP restrict server login
~ etc