Your server has been encrypted!

Hi,
My server was encrypted. Any ideas to restore it? -
Thank you for your help

SYSTEM INFORMATION
OS type and version CentOS 7 (64 Bit)
Virtualmin version Virtualmin Version 6.16

@Cooeesistemas,

You’ve been hacked.

Are you certain it’s actually encrypted?

2 Likes

Thanks for your helps - I don’t know - it’s very strange for me.

@Cooeesistemas,

Can you access content on the server?

1 Like

Yes - via VNC and HTTP

found this

from google so i have not idea if it works

P.S. Its a windows program :frowning:

1 Like

If they have root, as it seems they do, you can’t trust the system, anymore, even if you pay the ransom and they decrypt it (you should not pay the ransom, for a variety of reasons). You should reinstall the OS and restore your Virtualmin domains from backups, after making sure the OS and all your apps are up to date.

There’s no other good solution to a rooted system.

3 Likes

good idea would be to change from Centos to another distro since you only have another year or so of support.
July 2024 to be exact

1 Like

Thank you José for your Help.

Thanks, perhaps Ubuntu 22.04 ?

Please watch this video i HACKED my wife’s web browser (it’s SCARY easy!!) - YouTube.

In the future be careful which links you click on, especially those that are intentionally shortened. Once the attacker has control of the browser he can get everything you do in it. Never use as root permission account with Webmin/Virtualmin interface. Create a separate user for the interface and look for the connection from a computer where you have the guarantee that no one else uses it. A browser in a VM is enough. It came to encrypt your server because the attacker had all the information to access it with administrator rights. VNC is not an option at all as long as the data being transmitted is insecure.

About 25 years ago keyloggers were in vogue in Windows. Hidden programs that ran and retained everything that was entered on the keyboard. Now you can get remote control taking advantage of the naivety and lack of knowledge of users.

1 Like

2FA “should” stop access to VM

1 Like

Mm it is not only VM that has access to boxes and files and data.
Example:
Emailuser and a combi security bug in dovecot or postfix, and so on lot of spaces left where security could break and access could harm data.

Even a simple used script could break security, where normally non root access, but if OS or other have then BUGS where you can get root starting as user.

So i only try to say, take care of your admin work, backups, updates, and log files

1 Like

Hey Folks,

I’d like to clarify something here…

Any distro actively being developed whether it be major releases, or even security fixes along with Virtualmin CAN keep your system secure.

Typically security issues arrise when the system is not actively being monitored for issues, hasn’t been properly hardened or from time to time when a security fix is required either at the OS level or software level (including Virtualmin).

Most vendors Virtualmin included are pretty quick at addressing their issues in a timely manner, as is the case with most popular distributions including RHEL and Ubuntu.

Bottom line, it is not appropriate to expect Virtualmin or any one piece of software or the distro for that matter to “harden” and “secure” your system for life.

There’s a reason why many newer users get hacked. System Administration can be a very time consuming and difficult task especially if you have a wide variety of customer types and software installed on your server.

Many many many hacks originate from software like WordPress due to a large eco system of plugins, many of which are not properly maintained or are a bit buggy at best. It’s critical that you read up on topics related security issues with WordPress and related software to stay ahead of the attackers. Otherwise you’ll likely become a victim at some point.

All that being said, I’ve been a Sys Admin for over 2 decades (20+ years) and YES, I too occassionally have to deal with attacks against servers under my watch, and/or related to software that end users install on them.

Knowing how to address issues, and how to detect them is the key to remaining in charge even when a malicious attacker temporarily affects your systems.

I personally deploy a series of Intrusion Detection Systems (IDS), Firewalls (Cloud and Local) along with other scripts that can detect early signs of issues brewing along with Internal and External monitoring.

I actively manage over 2 dozen servers on any given day, so having a plan of action, and systems in place to aid me along the way are absolutely critical.

Anyways, my nickel of advice :slight_smile:

Cheers!

5 Likes

As Peter said, being a Web host isn’t easy. It’s a jungle out there. You have to do everything you possibly can to keep your servers and clients safe, and you have to have secure backups in multiple places for the day you fail.

One of the things I do is maintain an ephemeral database of malicious IP addresses that is shared among my servers and used to generate two blocklists. These are the IP’s that have been blocked by the firewalls for known attacks against my servers.

The IP’s include those blocked for port scans; multiple email login failures; attempted CMS logins or exploitation of vulnerabilities; attempted root logins on SSH, cPanel, or Webmin; repeated non-root login failures on cPanel or Webmin; form spam; SQL injection attempts; credential stuffing; distributed attacks; and probably some things that I’m forgetting at the moment.

One list is of all the malicious IP’s blocked by my servers in the past few days, and usually numbers between 2,000 to 2,500 malicious IP’s. The actual number of attacks would be higher except that once one server blocks an IP, so do the others.

The other list is of the most persistent attackers that have been blocked, rehabilitated, and blocked again within the past few days. It’s much shorter, sometimes with fewer than a hundred IP’s. Hackers, and even some bots, do tend to figure out that some servers are tattletales. (That’s an advantage in itself.)

Both lists are ephemeral in the sense that IP’s that behave themselves are automatically rehabilitated and removed from the list in a few days.

Every one of the blocked IP addresses is also reported to AbuseIPDB.

The files are just text files that can be imported into CSF or IPTABLES like any other blocklist. If anyone wants the URL’s, please drop me a private message and I’ll send them to you. I’m tired of being accused of being a spammer every time I post a link.

Richard

1 Like

My personal protection against ransomware consist in placing all domains in a virtual server installed on my main server which is acting as a host with Virtualbox, so I have two servers, the host holding the guest and the guest holding all Virtualmin domains
Every week I download to my house the complete virtual server, so I have several copies stored at home.
In the case of a ransomware attack (cross fingers), I can delete completely the encrypted server and upload a healthy copy from home.

1 Like

This is old saying and repeat, he has been hack because his own mistakes, if you have backups use them but before check them out, they did access your things because it was not good, once you figured out what’s wrong change it… original op post does not shared anything except some crappy info about OS and useless info. Close this forum post as resolved, since he did not have latest os and not shared updates regarding CMS and his own code… It would be waste of resources vmin actually need. Even if so, I do not think original poster listen… btw if you really restore those backups you give hacked server one more chance to be backed again… poorest solution anyone can recommend, it will lead to same problems.

1 Like

This individual’s Twitter feed is interesting and useful, especially if you host WordPress or other CMS-powered sites. The reason is because you can use live sites, honeypots, spare domains you have laying around, or all of the above that are not CMS-powered to detect attacks on CMS vulnerabilities, block the IP’s, and thus protect the CMS sites.

On an Apache system, I find the easiest way to implement a blocking system focused specifically on Web-based attacks is to use .htaccess to redirect all requests for the non-existent CMS pages to a blocking or blocking / reporting script. Using CSF, all you minimally have to do is redirect to a properly-coded 403 page, and then set CSF to block the IP after x-number of 403 hits by that IP in y-number of seconds.

But there are many more possibilities depending on how much you hate Internet miscreants.

The twitter feed linked above gives me more ideas on what pages / directories to add to the list of traps. At least few times a week the individual posts something new to me, which I then add to my own traps.

Richard

Of course, I have my servers reasonably protected (27+ years administering Internet and corporate servers and no one successful attack til now -but thousands of unsuccessful attacks-).
But just in case, keeping complete server backups is a must.

Bette safer than sorry, they say

3 Likes