• GoDaddy Community
  • VPS & Dedicated Servers
  • VPS & Dedicated Servers

    Showing results for 
    Show  only  | Search instead for 
    Did you mean: 

    My VPS server is root compromised



    I have VPS based on Linux and this server is compromised at the root level by malware known as ShellBot. This malware is known to cause errors when running the "crontab" command but can potentially cause many other problems including not being able to start certain services.

    The presence of the following file is an indication of this malware.

    [root@s148-72-213-141 ~]# stat /lib/libgrubd.so
      File: ‘/lib/libgrubd.so’
      Size: 23296            Blocks: 48         IO Block: 4096   regular file
    Device: fd01h/64769d    Inode: 349968      Links: 1
    Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (   12/    mail)
    Access: 2019-08-18 12:48:55.925657998 -0700
    Modify: 2019-06-19 12:35:35.458000000 -0700
    Change: 2019-06-19 12:35:35.459000000 -0700
     Birth: -

    [root@s148-72-213-141 ~]# lsof /usr/lib/libgrubd.so
    systemd       1            root mem    REG  253,1    23296 349968 /usr/lib/libgrubd.so
    systemd-j  1336            root mem    REG  253,1    23296 349968 /usr/lib/libgrubd.so
    systemd-u  1360            root mem    REG  253,1    23296 349968 /usr/lib/libgrubd.so
    auditd     1392            root mem    REG  253,1    23296 349968 /usr/lib/libgrubd.so
    polkitd    2554         polkitd mem    REG  253,1    23296 349968 /usr/lib/libgrubd.so
    dbus-daem  2555            dbus mem    REG  253,1    23296 349968 /usr/lib/libgrubd.so
    rpcbind    2564             rpc mem    REG  253,1    23296 349968 /usr/lib/libgrubd.so
    smartd     2572            root mem    REG  253,1    23296 349968 /usr/lib/libgrubd.so
    irqbalanc  2573            root mem    REG  253,1    23296 349968 /usr/lib/libgrubd.so
    pure-auth  2581            root mem    REG  253,1    23296 349968 /usr/lib/libgrubd.so
    I think this probably occurred as a result of the recent Exim vulnerability CVE-2019-10149, since the GID on the file is 'mail'.

    The reason this server was exploited is because cPanel updates were disabled by setting the version to in the cpupdate.conf file:

    [root@s148-72-213-141 ~]# grep CPANEL /etc/cpupdate.conf

    The only actions that can be considered to reasonably address a root compromised server are to either perform a fresh Operating System and WHM/cPanel installation and restore account backups or to migrate the accounts to a known clean server that hasn't been previously root compromised.


    Now what should I do???

    2 REPLIES 2
    Super User II



    Contacting phone support in this instance is probably your best option. As to be transferred to the Hosting Department and they should be able to give you some options. 

    I am a GoDaddy End User - Just Like You
    * Please note that I DO NOT answer private messages. Please ask your question in the proper forum so the answer can assist EVERYONE in the community and not just you. If you contact me via PM for help, I will give you a price quote for my personal services. Thanks! *

    Once your issue is resolved,
    please be sure to come back and click accept for the solution

    Get Better Support on the Community Boards!
    Etiquette When Asking for Help from the Community

    Hey Thanks man but unfortunately they won't help, I have received different responses from there end like they don't have specialist staff and now that I am not using managed services so I have to change my package for assistance.


    See following is the evidence of the malware:

    [root@s148-72-213-141 ~]# sha256sum /lib/libgrubd.so
    81566c65e311874709790e212921c7402f4239f7989608d966044e8477934c88 /lib/libgrubd.so

    3rd party verification: https://www.virustotal.com/gui/file/81566c65e311874709790e212921c7402f4239f7989608d966044e8477934c88... 


    I think Im on my own, it wasn't a wise decision to shift to Godaddy indeed!