I saw my server's cpu usage was at 100%, so I investigated a bit and found Xmrig running.
This is a Vultr OpenLiteSpeed Django server. I had installed CyberPanel via the cyberpanel install script on their website that they email you, and had also only installed Django and a few other packages via pip, so I am assuming that the malware came from CyberPanel.
I would like to know if the server could still be compromised after all of this?
rm -rf /root/c3pool
Following the advice here - https://superuser.com/a/936976
systemctl stop [servicename]systemctl disable [servicename]rm /etc/systemd/system/[servicename]rm /etc/systemd/system/[servicename] # and symlinks that might be relatedrm /usr/lib/systemd/system/[servicename]rm /usr/lib/systemd/system/[servicename] # and symlinks that might be relatedsystemctl daemon-reloadsystemctl reset-failed
When rebooting, the logs show nothing regarding the service trying to start, so it appears it is no longer on the system.
I then removed password authentication via ssh, and generated a gpg key on my local machine.
What else can I do to ensure the system is safe?
