Cleaning up wordpress requires some professional knowledge. You need to recreate whole site with new wp-core, plugins, theme and just use old database to ensure you do not copy any old files.
After that install wordfence and monitor site.
If this is something more than you can handle, you should hire some professional sysadmin.
At this point stopping exim probably won’t work as chance are high, that the attacker already took measure to restart or placed more executables on your system.
You did not run your page under the admin acount, right? RIGHT?
Make dumps of the process list and restart your server in rescue mode. Mount the disk and search for the infected files based on their names and timestamp.
Esp. if you have no experience get someone knowledgable to help you. Also rather reinstall the system and restore your pages from backups.
Disable everything (plugins, themes) in wordpress which you can’t exavtly say about who coded it and what it is doing.
No, the site was under a separate user in hestia.
I am making a full backup of the site and then reinstall fresh OS.
I had suspended the user and the site. But now when I am trying to remove the suspension, it still says the site is suspended. Why is that? @ScIT @falzo
No idea, check the logfiles maybe? You most likely don’t want to reenable that page as it was anyway.
Rather deploy a new user and rebuild your page step by step as @mehargags alreadx mentioned.
It will lead you nowhere, if you don’t find what was causing the breach, it will simply happen again…
This will not help and is not needed. You need to clean your Wordpress site… not the whole server
Your site was inside isolated user and access of scripts / malicious items is still jailed to user’s directory.
Resurrect your site from clean new updated WP-Core, plugins, theme and you should be good.
Scan your uploads folder for any scripts that might be malicious before copying to newly created site.
Restoring any files other that media in /uploads can lead to getting hacked/ infected again very soon.
which tool do you recommend to scan the wp-content files? Can I scan from the SSH commands?
I’m sorry, but this is not related to hestia itself. Please try to spin up some google searches about malware scan for wordpress, probaly wordfence and maldect is also an option.
find . -type f -name '*.php'
delete if you find any. You will need to go inside and browse through to see if you can get any other scripts that catch your eye.
There are many tools like Wordfence and other WP integrity checker tools that you can use… it is out of scope to discuss them here. Good luck
What does this command do? I run this command and it output all the .php files. Do I need to delete all files ending with .php?
Where are you running this command?
It should be run inside wp-content/uploads and ideally should not show any .php files.
Yes, but I think this command only finds files that are ending with .php extension.
Often the malware is injected in a file which does not look like a php or any other programming file.
This is another case of the benefits of mod_sec.
Time to close this thread, seeing as it’s a WP issue?
Is mod_sec part of Hestia?
You could do with better powers of search/research.
mod_sec is a apache module, so it’s just an
apt-get install away and a custom vhost template that makes use of it
I searched in the forum about mod_sec and I got the impression that it’s not very easy to get it working with Hestia. Especially for someone like me who does not know more than a few linux commands.
You are probably referring to this thread, the discussion there was about enabling modsecurity modules in nginx.
So if we don’t integrate it in nginx, and only install it using the apt-ger install as you said, will it function OK?
I only have 1 wp site on the server and don’t plan to add any other site, just in case if it matters.
@attiqfsd Please keep us posted about the hack you suffered, particularly if there are any signs of “systemic involvement” (i.e. any malware files outside of the WP user’s home dir).