Fastrpc shouldn't be running

Opening new topic from [New version of webmin causes problem with my cron - Webmin - Virtualmin Community]

As discussed the fastrpc shouldn’t be running. My site was hacked a while back. I pulled out all extraneous programs I thought. But it never occurred to me about webmin as I didn’t know how it worked (or really cared) Assuming that someone connected theirs to mine to keep track of my site (Let’s go on this premise) where would it indicate that on my site and how would I shut it down? If that isn’t the deal, then we’ll figure out something later.

First, I feel compelled to warn you that if your server was rooted and you don’t know with pretty high confidence how they got in and what they did, you can’t possibly trust the server anymore and you need to migrate to a new server or reinstall the OS and restore your data and sites and such from backups (being very careful about what you bring over, so you don’t invite the same attacker back in). An exploited server can never really be trusted again…if you really know what you’re doing, and can boot from a trusted read-only image, you can get pretty close to confidence, but other than that, a knowledgeable attacker can hide their tracks so well you can not see them without outside intervention (i.e. booting from trusted other media).

OK, with that out of the way, to address the fastrpc issue:

Webmin->Webmin->Webmin Servers Index lists all of the servers you have configured connections for. This includes servers used in Cluster modules and used in BIND module, and the database modules.

It won’t list other servers that may have your server listed in their Cluster servers. And, it does not mean those fastrpc processes aren’t actually somebody else’s exploited version. That may be providing a back door to control your system.

I assume you have changed your root password? Check the /var/log/miniserv.log to see who is making that request. Assuming it hasn’t been modified to hide information from you, of course (if I were an attacker and I were planning to come in through Webmin’s fastrpc in the future, I would make it hide my requests), it will provide the IP(s) that are making those requests…if you don’t recognize them, you can block them.

But, you had cronjobs using fastrpc…so, your system was presumably configured to copy something to other servers (there’s no other reason you’d have Webmin fastrpc functions being called from cronjobs). I don’t think you cleaned up your exploited system as well as you think you did.

YUP agree!

Cleaning a hacked box is not the same as removing only a Virus in Data , where even there it could be wise to reinstall things. ( depending on activated one or only “sleeping” in those Data.)