I have VPS based on Linux and this server is compromised at the root level by malware known as ShellBot. This malware is known to cause errors when running the "crontab" command but can potentially cause many other problems including not being able to start certain services.
The presence of the following file is an indication of this malware.
[root@s148-72-213-141 ~]# stat /lib/libgrubd.so
Size: 23296 Blocks: 48 IO Block: 4096 regular file
Device: fd01h/64769d Inode: 349968 Links: 1
Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 12/ mail)
Access: 2019-08-18 12:48:55.925657998 -0700
Modify: 2019-06-19 12:35:35.458000000 -0700
Change: 2019-06-19 12:35:35.459000000 -0700
[root@s148-72-213-141 ~]# lsof /usr/lib/libgrubd.so
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root mem REG 253,1 23296 349968 /usr/lib/libgrubd.so
systemd-j 1336 root mem REG 253,1 23296 349968 /usr/lib/libgrubd.so
systemd-u 1360 root mem REG 253,1 23296 349968 /usr/lib/libgrubd.so
auditd 1392 root mem REG 253,1 23296 349968 /usr/lib/libgrubd.so
polkitd 2554 polkitd mem REG 253,1 23296 349968 /usr/lib/libgrubd.so
dbus-daem 2555 dbus mem REG 253,1 23296 349968 /usr/lib/libgrubd.so
rpcbind 2564 rpc mem REG 253,1 23296 349968 /usr/lib/libgrubd.so
smartd 2572 root mem REG 253,1 23296 349968 /usr/lib/libgrubd.so
irqbalanc 2573 root mem REG 253,1 23296 349968 /usr/lib/libgrubd.so
pure-auth 2581 root mem REG 253,1 23296 349968 /usr/lib/libgrubd.so
I think this probably occurred as a result of the recent Exim vulnerability CVE-2019-10149, since the GID on the file is 'mail'.
The reason this server was exploited is because cPanel updates were disabled by setting the version to 126.96.36.199 in the cpupdate.conf file:
[root@s148-72-213-141 ~]# grep CPANEL /etc/cpupdate.conf
The only actions that can be considered to reasonably address a root compromised server are to either perform a fresh Operating System and WHM/cPanel installation and restore account backups or to migrate the accounts to a known clean server that hasn't been previously root compromised.
Now what should I do???
Contacting phone support in this instance is probably your best option. As to be transferred to the Hosting Department and they should be able to give you some options.
Once your issue is resolved,
please be sure to come back and click accept for the solution
Hey Thanks man but unfortunately they won't help, I have received different responses from there end like they don't have specialist staff and now that I am not using managed services so I have to change my package for assistance.
See following is the evidence of the malware:
[root@s148-72-213-141 ~]# sha256sum /lib/libgrubd.so
3rd party verification: https://www.virustotal.com/gui/file/81566c65e311874709790e212921c7402f4239f7989608d966044e8477934c88...
I think Im on my own, it wasn't a wise decision to shift to Godaddy indeed!