hacked by Opyum Team

[Website]

Can somebody please tell me what to do if you have been hacked by this Opyum Team?
Now they have full root privileges
They have a cron job called f Opyum Team
They have created thousands of jpg images in various folders all over my server.
They have done that months ago
They dont do anything weird now as far as i know. Maybe they use my resource a lot which i suspect they do also.

I am afraid if i re-install the OS and webmin again, then put the latest backup, they will still be there.

Please suggest what can i do?

also my hosting company suggest that i switch to cpanel instead of webmin. but i dont really want that.
I feel like if i can kill the cron job, and the Opyum Team root user, i can clean and take care of the rest of leftovers and for me to kill the cron job and the remove the opyum team root user, i should just re-install the os and the webmin.

PS: i am not good with linux commands nor the webmin. I used shared hosting with cpanel for 7 years and just starting on the vps hosting since a month.

[Irithori]

imho there is no alternative to a complete reinstall.
Save your data, db dumps, config and logs.
Of course, you need to find out, how the hack happened and also verify all data.
Then start from scratch.

If you are not familiar with Linux, maybe find help to complete those tasks.

[Dapper Dan]

First thing to do is unplug your Internet! After this, open a terminal and as su:

Code:

 cd /bin

Then:

Code:

rm f

If permissions are somehow set where you cannot remove it, rename it:

Code:

mv f _f_

You can rename it whatever you want. You have to do the same with "i" if it has been installed. Still inside /bin, do:

Code:

rm i

Or rename it. At this point, you can open "top" or "htop," find those processes and kill them. No point in killing them first as they will just get reactivated almost as quick as you kill them. That's what happened to me. If you don't know how to kill these processes, reboot, still without cable plugged in. Once machine is full up. you need to clean up a little with your favourite editor, (mine's "joe")...

Code:

joe /etc/crontab

Look for the line that activates "f" and "i" and either delete them from the configuration or comment them out with a "#" before them.

Lastly and importantly: Change your ssh password to something really complicated! Port 22 is where it got in. You could change the default ssh port from 22 to something else as well. If you don't use ssh that much, consider closing the port altogether. You can now plug in your Internet connection and restart the machine or re-activate the connection. Hope this helps.

Edit: I agree completely with Irithori, a new install will insure you are clean but both my machines have been working without problems since I took these steps. I do however re-install fairly regularly so that is something I will do to both machines in time.

[Website]

First thing to do is unplug your Internet! After this, open a terminal and as su:

Code:

 cd /bin

Then:

Code:

rm f

If permissions are somehow set where you cannot remove it, rename it:

Code:

mv f _f_

You can rename it whatever you want. You have to do the same with "i" if it has been installed. Still inside /bin, do:

Code:

rm i

Or rename it. At this point, you can open "top" or "htop," find those processes and kill them. No point in killing them first as they will just get reactivated almost as quick as you kill them. That's what happened to me. If you don't know how to kill these processes, reboot, still without cable plugged in. Once machine is full up. you need to clean up a little with your favourite editor, (mine's "joe")...

Code:

joe /etc/crontab

Look for the line that activates "f" and "i" and either delete them from the configuration or comment them out with a "#" before them. Lastly, (and importantly: Change your ssh password to something really complicated! Port 22 is where it got in. You could change the default ssh port from 22 to something else as well. If you don't use ssh that much, consider closing the port altogether.
You can now plug in your Internet connection and restart the machine or re-activate the connection. Hope this helps.

Edit: I agree completely with Irithori, a new install will insure you are clean but both my machines have been working without problems since I took these steps. I do however re-install fairly regularly so that is something I will do to both machines in time.

First of all i dont host the site myself. I use a VPS through a company. So i dont think disconnecting myself from int will help me here.

I used the FTP to do these commands you wrote... but

Cant rename the f because of permission problem.

I dont have i in /bin

Didnt continue the other commands because i couldnt do the previous ones. My passwords are always super strong. Im talking about like ss_!LL-242__DSDefse___-svse#@D
So its long and has each type of character to make it strong.

Also do you think is there anyway to have all malicious files and folders cleaned from my directories? How can i do that after killing the processes.

[Dapper Dan]

Then contact your host and have them do what is necessary. Sorry to hear you are having this trouble. In my opinion, Opyum Team sets itself up as a porn server. It didn't do any deleting or rewriting of critical files on mine, just very annoying processes going on that grind your server's resources down to where it's difficult to do anything else. I watched as it downloaded files and put them in directories in /sbin and deleting others but checked /sbin thoroughly and didn't find anything left. Your hosting company should be knowledgeable enough to address this.


Edit: With super strong pass, not sure how it got in or crossed over. ftp pass also strong?

[Website]

Then contact your host and have them do what is necessary. Sorry to hear you are having this trouble. In my opinion, Opyum Team sets itself up as a porn server. It didn't do any deleting or rewriting of files on mine, just very annoying processes going on that grind your server's resources down to where it's difficult to do anything else. Your hosting company should be knowledgeable enough to address this.


Edit: With super strong pass, not sure how it got in or crossed over. ftp pass also strong?

All passes are either same or very similar to each other.

So if i dont have the permission through FTP, is there any other method to put those commands and remove/kill the files and processes?
Would it make any difference if i put the commands from console?
Should i use another user?
Can my hosting company have more permissions than i have in my VPS so they can put in those commands to clear the problem?

I am talking to my hosting company right now and they say they will try. But i dont have much hope.

[Dapper Dan]

Can you get in through ssh? Do you have root permissions on this server? If not, perhaps send this thread to your host and ask them to do it.

[Website]

Can you get in through ssh? Do you have root permissions on this server? If not, perhaps send this thread to your host and ask them to do it.

Thank you Dan. I reappy appreciate your quick help.

After sending the thread to my hosting company. They took care of the issue perfectly. They have also changed my passes and SSH port.

I think i have full root permissions right now. There is no Opyum Team cron job. Nor f or i in /bin

There was f.save and f.save.1 in /bin and i just deleted them also.

Is there anything else i should check for?
If not then what is the next step?
How can i remove, delete the files which was affected/created/editted by them?

I know the hack has created bunch of jpgs etc. in many folders. But i dont know the locations.

[Dapper Dan]

Since it is a server (not cluttered with personal pictures) update the database and search for them:

Code:

updatedb

When it finishes:

Code:

cd /
locate *.jpg

Might also want to search *.jpeg *.JPG *.JPEG. Pay particular attention to /sbin and /usr/sbin. I remember seeing one or both of those directories while watching it do its thing with htop. Warn your Host that it replicates itself to other machines on the network so they might have to check all of them. Glad you are getting it under control.

EDIT: Perhaps your host would be kind enough to share what they did to address this. That might help someone else later on who finds this thread.

[Website]

Since it is a server (not cluttered with personal pictures) update the database and search for them:

Code:

updatedb

When it finishes:

Code:

cd /
locate *.jpg

Might also want to search *.jpeg *.JPG *.JPEG. Pay particular attention to /sbin and /usr/sbin. I remember seeing one or both of those directories while watching it do its thing with htop. Warn your Host that it replicates itself to other machines on the network so they might have to check all of them. Glad you are getting it under control.

EDIT: Perhaps your host would be kind enough to share what they did to address this. That might help someone else later on who finds this thread.

I think they did what you told them to do above with the codes.
writings updatedb in console doesnt do anything. Can you give me the full command please?

Also putting this command in console,
cd /
locate *.jpg
will bring every jpg (including regular ones) to me right? How would i know which images to delete?
Should i search for png, gif etc. also?