A guide for cPanel/WHM servers that use JetBackup and Imunify360, focused on detecting and recovering from a root compromise such as /lib64/libtsr.so or /lib64/libhdx.so.
🔍 Step 1: Check for Indicators of Compromise
Log into your server as root via SSH:
ssh root@your-server-ipRun:
stat /lib64/libtsr.so
stat /lib64/libhdx.soIf either file exists, your server may have been root-compromised, often by a stealth backdoor or rootkit.
🔧 Step 2: Perform Initial Investigation
2.1 Use Imunify360 Malware Scanner
Check Imunify360 for active malware alerts:
imunify360-agent malware on-demand start --paths=/ --malware-types allView detections in WHM:
WHM » Imunify360 » Malware Scanner2.2 Check for Suspicious Processes and Files
ps aux --sort=-%mem | head
netstat -tulnp
find /lib64 -name "*.so" -exec strings {} \; | grep -Ei 'key|connect|host|curl|wget'2.3 Look for Unauthorized Cron Jobs
crontab -l
ls -lah /etc/cron* /var/spool/cron2.4 Check Root Login History
last | grep root
cat /root/.bash_history | tail -n 50📁 Step 3: Backup and Collect Logs (Before Reinstall)
If you plan to wipe and reinstall, use JetBackup to restore clean accounts later. But first, preserve logs for investigation:
mkdir /root/compromised-review
cp -a /var/log /root/compromised-review/
cp -a /etc /root/compromised-review/etc-configsYou can compress and download for forensic review:
tar czf /root/compromised.tar.gz /root/compromised-review♻️ Step 4: Disconnect and Reinstall the Server
Do not trust a compromised OS.
- Reboot into rescue mode from your VPS/Dedicated provider panel (e.g., OVH, Hetzner).
- Mount the root disk:
mkdir /mnt/old
mount /dev/sda1 /mnt/old- Backup JetBackup backups:
rsync -av /mnt/old/usr/local/jetapps/usr/jetbackup5 /mnt/backup/- Wipe and reinstall AlmaLinux or CloudLinux 9.
- Reinstall cPanel/WHM and JetBackup:
cd /home && curl -o latest -L https://securedownloads.cpanel.net/latest && sh latest
jetapps --install jetbackup5♻️ Step 5: Restore Accounts Using JetBackup
After reinstalling JetBackup, use WHM to restore all client accounts.
Go to:
WHM » JetBackup 5 » Restore » AccountsOr from command line:
jetbackup5api -F listAccounts
jetbackup5api -F restoreAccount --account=exampleuser --destination=local✅ Make sure you’re restoring from a backup before the compromise date.
🔒 Step 6: Harden the Reinstalled Server
6.1 Imunify360 (Already Installed)
Ensure all features are enabled:
- Malware Scanner
- Proactive Defense (PHP patching)
- Hardened PHP
- Patch Management
Check via WHM:
WHM » Imunify3606.2 cPanel/WHM Security Tweaks
- WHM » Security Center » Enable:
- Two-Factor Authentication
- SSH Password Auth: Off
- Shell Fork Bomb Protection
- Compilers: Disabled
- cPHulk Brute Force Protection
- Enable ModSecurity with OWASP rules:
WHM » Security Center » ModSecurity™ Vendors
6.3 Install/Configure CSF Firewall
yum install csf -y
cd /etc/csf
sh install.shThen configure from:
WHM » Plugins » ConfigServer Security & Firewall🧪 Step 7: Continuous Monitoring
- Use Imunify360’s Realtime Protection
- Enable daily malware scan reports
- Monitor
/var/log/secureand/var/log/messages - Add file integrity tools like:
yum install aide aide --init mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz aide --check
✅ Summary
| Action | Tool |
|---|---|
| Detect Compromise | stat, Imunify360 |
| Forensic Backup | rsync, tar, scp |
| Clean Reinstall | Rescue Mode + cPanel |
| Account Restore | JetBackup |
| Post-Security | Imunify360, CSF, Hardened PHP, AIDE |