0

Recently wordpress site on centos 7 server is hacked and WSO shell was uploaded.

Ive checked other sites and nothing was changed, Im using centos web panel and the root password also was not changed.

I had also modsecurity on my nginx- firewall on - maldet and rkhunter on my server wordfence on the wordpress site, still hacked. How can I prevent this ?

Im trying to recover it but Im not experienced so Have couple of questions:

  1. When WSO Shell is uploaded , does that mean the whole server is compromised or only the host which the site was on?

  2. What and where I should check for changes ? should I check the whole server or the host only ?

  3. How can I find the place or the bug that led to this hacking

  4. How to stop and find all the files that were changed by the user

  5. I suspended the account , is that enough to stop the malicious code and hacker untill I start the purge on the host or server ?

  6. How can I completely encapsulate a website so that once a hacker manages to inject some script, it won't help him accessing any other website or server

I am still investigation and will update the post.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • The question itself is too broad. See similar questions for at least partial answers: [Server compromised for 2nd time, cannot locate source of attack](https://security.stackexchange.com/questions/9234/), [How do I deal with a compromised server?](https://security.stackexchange.com/questions/39231/), [Hardening Linux Server](https://security.stackexchange.com/questions/993/), ... – Steffen Ullrich Apr 25 '21 at 06:06
  • Each question is valid and you should answer these questions, but they all stem from the knowledge of "how did they exploit the server in the first place?" Without knowing that, the questions you've asked are not answerable. And there is no way we can determine how they hacked your server. – schroeder Apr 25 '21 at 07:27

0 Answers0