Misc Situation:
-Server login is obtained by hacker, hacker places malicious brute force file in /hacked/bruteforce/
-Server password is then changed, hacker can still run script by navigating to their file on the server which will run upon their request (I am assuming?)
Question:
Would a combination of changing the server login password as well as adding a password protected .htaccess file to / stop the hacker in their tracks? Or can an .htaccess still be avoided in terms of rerunning the hacker's script?
I am very new to server security but am eager to learn anything and everything anyone can tell me! I highly appreciate any and all advice. Any recommended knowledge resources would also be fully utilised!
OUR SITUATION:
Here is the information provided to us by our host.
your Server/Customer with the IP: * has attacked one of our servers/partners. The attackers used the method/service: bruteforcelogin on: Sat, 14 Nov 2015 -exact time provided here-. The time listed is from the server-time of the Blocklist-user who submitted the report. The attack was reported to the Blocklist.de-System on: Sun, 15 Nov 2015 -exact time provided here-
Here is some more:
Lines containing IP-ip here-: NOT SORTED (from many different Machines)! DESTINATION-IP: -ip info here-
DESTINATION-IPs: -ip info here-
-ip here- - - [14/Nov/2015:-exact time provided here-] "POST wp-login.php HTTP/1.1" 200 4366 "referer-domain.tld" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
-ip here- - - [14/Nov/2015:-exact time provided here-] "POST /wp-login.php .... truncated .... 0"POST wp-login.php HTTP/1.1" 200 4366 "referer-domain.tld" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
-ip here- - - [14/Nov/2015:-exact time provided here-] "POST wp-login.php HTTP/1.1" 200 5117 "referer-domain.tld" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
Regards, Jay.