Suggestions on Clamscan result log for hacked server

Question

My dedicated Centos 6 server was mining. I scanned the system with clamscan. ClamAV and here is the log:- I have already gone through How do I deal with a compromised server?

The server is not physically available, so how can I disconnect from the internet?

I suspect /bin/mig is the infected file. Can I remove that as it does not belong to any package?

/bin/mig: Unix.Malware.Agent-6743195-0 FOUND /home/XXXX/mail/XXXX.com/info/new/1539098255.M12312312.sXXXX-XX-XX-XX.erver.net,S=22802,W=23120: Heuristics.Phishing.Email.SpoofedDomain FOUND WARNING: Can't open file /sys/devices/virtual/tty/tty/ve_device_add: Permission denied WARNING: Can't open file /sys/devices/virtual/tty/console/ve_device_add: Permission denied WARNING: Can't open file /sys/devices/virtual/tty/ptmx/ve_device_add: Permission denied WARNING: Can't open file /sys/devices/virtual/tty/tty0/ve_device_add: Permission denied WARNING: Can't open file /sys/devices/virtual/tty/tty1/ve_device_add: Permission denied WARNING: Can't open file /sys/devices/virtual/mem/full/ve_device_add: Permission denied WARNING: Can't open file /sys/devices/virtual/mem/random/ve_device_add: Permission denied WARNING: Can't open file /sys/devices/virtual/mem/urandom/ve_device_add: Permission denied WARNING: Can't open file /sys/devices/virtual/misc/tun/ve_device_add: Permission denied WARNING: Can't open file /sys/devices/virtual/block/ploop11014/ploop11014p1/ve_device_add: Permission denied /usr/local/cpanel/cpaddons/cPanel/Blogs/WordPress/upgrade/2.7.1_2.8/diff: Html.Exploit.CVE_2014_1804-1 FOUND

Answer 1

Sorry to tell you this - the TL;DR is you need to get someone to rebuild your server from scratch.

With respect of disconnecting the server - The advice you found is generic, and may not be applicable.That said, it is a best practice. I guess in theory you should ask whoever set it up to take it offline. Assuming this is correct, and you have a static IP address, you can isolate your computer with iptables. Note this is risky and could lock you out if your IP address changes or I've gotten something wrong - so make sure it can be rebooted. (Maybe schedule a cron job?)

The following line should, in theory, limit access to just your IP. It needs to be done in 1 line because it first blocks everything regardless of current rules and your IP and then allows data to and from your IP. To be clear, YOUR.IP is the IP you are wanting to connect to the server from. -

  /sbin/iptables -I INPUT -j DROP; /sbin/iptables -I INPUT -s YOUR.IP -j ACCEPT; /sbin/iptables -d YOUR.IP -j ACCEPT

The thing is though, removing the infected file won't fix the problem. There was a mechanism at play to both upload that file and make it run. You need to find out how this happened and prevent the reoccurance.

Worse then that, your system is untrustable - to have any degree if certainty its clean you have to wipe it and fully reinstall. Note /bin/mig - this file should not have required root access to install at that location. This means the attacker has root access. It means they could completely cover their tracks and install additional backdoors that it is practically impossible to detect. The smart money says they will have done so - as the hard part is getting root access.