gpg: Signature made Wed Feb 19 02:10:54 2020 UTC
gpg: using DSA key 2099B64CBF15490B
gpg: Good signature from "Andy Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andrew James Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andy Smith (UKUUG) <andy.smith@ukuug.org>" [unknown]
gpg: aka "Andy Smith (BitFolk Ltd.) <andy@bitfolk.com>" [unknown]
gpg: aka "Andy Smith (Linux User Groups UK) <andy@lug.org.uk>" [unknown]
gpg: aka "Andy Smith (Cernio Technology Cooperative) <andy.smith@cernio.com>" [unknown]
Hi Ian,
On Tue, Feb 18, 2020 at 04:30:21AM +0000, Ian Hobson wrote:
> All my Wordpress sites have been infected by a virus
Tough one. If you're feeling paranoid you could boot the Rescue VM
so you have a clean environment to investigate things from, but it's
probably overkill. The most likely scenario is that the bad guys
have compromised your wordpress and written stuff only that the
wordpress / web server user can, not got root access or interfered
with the rest of the system. So you are probably safe investigating
from the VPS itself.
A thing I often do when trying to work out what has happened is just
to examine recently-changed files. If I find weird things I then try
to correlate their modify times with logging events, e.g. auth.log
for SSH connections or the web server logs for stuff being POSTed.
# find /path/to/web/stuff -type f -mtime -30 -ls
gets you things modified within the last 30 days.
If you can pinpoint when it happened then perhaps you can nuke the
sites and restore them to a point before the compromise. I know you
say you don't have access to backups but it's difficult to advise
anything else really…
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
