VestaCP, the web management panel recommended by this site, has been exposed to vulnerabilities. Here are the detection and removal methods.

All commands are run under SSH:
1. First, determine whether it has been hacked.

 find /etc -name gcc.sh -print

If /etc/cron.hourly/gcc.sh is displayed, it means a Trojan has been planted.

2. If a Trojan is installed, back up all data

3. Block gcc.sh

 chmod 0 /etc/cron.hourly/gcc.sh; chattr +ia /etc/cron.hourly/gcc.sh; chattr +i /etc/crontab

4. Find the Trojan. It has two versions: one is called update, and the second (update) has a randomly generated name (such as ahzihydns, rangqpbjp).
a. Use lsof to find update Trojans

lsof -n |grep /tmp/update

 update 31116 root txt REG 253,2 625611 146301 /tmp/update update 31116 31124 root txt REG 253,2 625611 146301 /tmp/update update 31116 31125 root txt REG 253,2 625611 146301 /tmp/update update 31116 31126 root txt REG 253,2 625611 146301 /tmp/update

Similar to update, stop them from entering the city

 kill -STOP 31116

Then delete them

 rm /tmp/update

Finally kill them

 kill -9 31116

If /etc/init.d/update exists, delete it.
Finally, delete /lib/libudev.so

 rm /lib/libudev.so

b. Deleting random Trojans is more difficult. First check whether there is a process in usr/bin.

 # ls -lt /usr/bin | head -20 итого 171828 -rwxr-xr-x 1 root root 625622 апр 4 00:01 xmpwotmqnr -rwxr-xr-x 1 root admin 625633 апр 3 23:55 lluoohrpal [...]

Processes like this, let's try to stop and delete the process.

 kill -STOP `lsof -n | egrep "625622|625633" | grep -v deleted| awk '{print $2}' | uniq`

View the list of files to be deleted:

 # lsof -n | egrep "625622|625633" xmpwotmqn 1120 root txt REG 253,2 625622 1519267 /usr/bin/xmpwotmqnr xmpwotmqn 1120 1169 root txt REG 253,2 625622 1519267 /usr/bin/xmpwotmqnr xmpwotmqn 1120 1170 root txt REG 253,2 625622 1519267 /usr/bin/xmpwotmqnr xmpwotmqn 1120 1171 root txt REG 253,2 625622 1519267 /usr/bin/xmpwotmqnr

Delete /usr/bin/xmpwotmqnr, /usr/bin/lluoohrpal, and /lib/libudev.so.
First stop the previous process:

 kill -9 `lsof -n | egrep "625622|625633" | awk '{print $2}' | uniq`

Check whether there is any malicious code left in /etc/init.d. for example:

 -rwxr-xr-x 1 root admin 323 апр 3 23:55 xbzrqmaaqo -rwxr-xr-x 1 root admin 323 апр 3 23:55 xdphzejxlx -rwxr-xr-x 1 root admin 323 апр 3 23:55 xdzluubldx

If there are many such files, you can find them through find and then delete them

 find /etc/init.d/ -type f -size 323c -delete -rwxr-xr-x 1 root admin 323 апр 3 23:55 xgqggmacwf -rwxr-xr-x 1 root root 323 апр 8 13:50 xmpwotmqnr

5. Use clamav to check
Install clamav on Centos

 yum install clamav

Install clamav on Debian/Ubuntu

 apt-get install clamav

Then, start scanning
clamscan -r -i /

6. Finally, it is recommended to use the specified IP for login IP.

via: https://itldc.com/blog/vozmozhnaya-uyazvimost-v-vesta-i-sposob-lecheniya-ot-trojan-ddos_xor/