Clearos 7 boxes compromised and mining cryptocurrencies.

Hi, Community. Just relating information at this time. Selected category as system security.

We have just over 25 ClearOS 7 boxes at various locations. Most are to for individual sites. We have had two boxes compromised in as many weeks. Not been able to ascertain the attack vector. We find a user named support with the same ID as root and indicates the same login times as our with root. It removes the bash history for root, removes many of the logs from /var/log and adds config.txt, cpu.txt, minerd, and monero to /etc/sbin. Cron for root is edited to start monero from /etc/sbin every 5 minutes. We have managed to recreate the logs and rename the additional files to prevent the miner from starting again and getting the boxes operational again (both run Zarafa Community). I removed the user via "vipw" and "vipw -s". Not going to leave the boxes in production.

Port 81 is open and accessible from outside, passwords are fairly complex, root access is allow from WAN but the port was closed (we only open when we to use for support). It is possible the threat came from LAN side but not been able to find anything from remaining information.

Posted queries about restoring mail archives due to compromised box but didn't hear anything from anyone. Was wondering if anyone had seen anything like this or if ClearOS would be interested in some telemetry. Going to replace the box compromised last week with fresh install tomorrow and try to replace the other by end of week.