Rootkit detected - unable to delete server from cluster - Enhance Control Panel

Rootkit detected - unable to delete server from cluster

wav3front

Hi,

One of my servers was compromised:

Dear User,

cPFence has detected a possible rootkit or vulnerability on ******-node2. Please review the details below.

cPFence Scanner details:
------------------------------------------------------------
Rootkits/Vulnerabilities Found:
-----------------
Checking `bindshell'...                                     INFECTED PORTS: ( 45454)
------------------------------------------------------------
For more details, please check the log file at: /opt/cpfence/tmp/logs/rootkit_scan_2024-11-03_01-03-01.log

Thank you for using cPFence!

The server was acting weird and I immediately shut it down.
The server is decommissioned in the enhance cluster.
I cannot completely delete it as I get the "There are websites on it" message. However, I have actually moved the websites, the only thing that existed in this server was backups of them in the backup role.
How can I delete the server from the cluster?

Thanks
Alex

cPFence

wav3front

Hi Alex,

False positives in rootkit detections are quite common, especially with "bindshell" detections, which are often triggered by open ports used for regular services. No need to panic or decommission the server , this is usually just a precautionary detection. Just drop us a ticket, and we’ll investigate the flagged item thoroughly to confirm if it’s a genuine issue.

wav3front

also, anyone have information on this rootkit?

wav3front

Fair enough.
Still though, I am not able to solve the issue with the stray decommissioned server.
I wonder if @Adam can help?

cPFence

wav3front

It might be a good idea to leave a ticket for Enhance support to address this. However, if all functionalities are working fine, including the backups, there is no need to worry about the decommissioned server.

Adam

If the server is decommissioned, just move the backup role for the affected websites to another server in your cluster and you will then be able to delete the decommissioned server.

wav3front

Adam I cannot.

I have installed the backup role to another server, but I cannot move the backup role, for those websites, from the decommissioned server to the new one.

Specifically, nothing happens when I try to move them. I get the /migrations page but no tasks.

Adam

I don't know what would cause that, unless they're server hostname domains. If so, just delete them and re-create them. If they're normal websites please send a support ticket and we can investigate further.