Re: [bitfolk] Help needed with virus infection

Hi Ian, On Tue, Feb 18, 2020 at 04:30:21AM +0000, Ian Hobson wrote: Tough one. If you're feeling paranoid you could boot the Rescue VM so you have a clean environment to investigate things from, but it's probably overkill. The most likely scenario is that the bad guys have compromised your wordpress and written stuff only that the wordpress / web server user can, not got root access or interfered with the rest of the system. So you are probably safe investigating from the VPS itself. A thing I often do when trying to work out what has happened is just to examine recently-changed files. If I find weird things I then try to correlate their modify times with logging events, e.g. auth.log for SSH connections or the web server logs for stuff being POSTed. # find /path/to/web/stuff -type f -mtime -30 -ls gets you things modified within the last 30 days. If you can pinpoint when it happened then perhaps you can nuke the sites and restore them to a point before the compromise. I know you say you don't have access to backups but it's difficult to advise anything else really… Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting