Check Recently Modified Files in Server

Login to server through SSH, run the below commands to find out which scripts have been uploaded recently

$ cd /home/public_html/
$ find ./ -type f -mtime -15
(this code checks all files that has been uploaded / modified in last 15 days)

$ find /etc -type f -printf ‘%TY-%Tm-%Td %TT %p\n’ | sort -r

$ find /etc -type f -printf ‘%TY-%Tm-%Td %TT %p\n’ | sort -r

Check PHP Scripts that has been recently uploaded

$ cd /home/public_html/
$ find ./ -type f -name “*.php” -ctime -7
(this code checks all the PHP files that has been uploaded / modified in last 7 days)

$ find ./ -type f -name “*.php” -ctime +7
(this code checks all the PHP files that has been uploaded / modified before 7 days ago)

find ./ -type f -name “*.php” -atime -7
(this code checks all the PHP files that has been accessed in last 7 days)

find ./ -type f -name “*.php” -atime +7
(this code checks all the PHP files that has been accessed more than 7 days)

Find all files that are modified on April 1, 2020:

find ./ -type f -newermt 2020-04-01

OR

find ./ -type f -newermt 2020-04-01 ! -newermt 2020-04-02

Check Other Files:

You should check Robots.txt file & sitemap.xml files. Hackers use popular site that has better SEO so that they can sell their dark web market items through your site

In your public_html folder, you will see folders named .well-known, check those folders for new uploaded PHP/ Python / Bat files from which they will infect the site again.

Always check a site public html top folder for malware files. For example: if my site is arzerin.com/ check the top folders with some php files that you think you did not upload them.

Also check the top index.php files because at the top of the script, may be they have inject malware code already.

Find malware code in all files:

grep -rlnw '/home/public_html/' -e 'virus_code'

Hardening WP Site Security

Change WordPress File Permission

For Directories:

$ find /home/public_html/arzerin/ -type d -exec chmod 755 {} \;

For Files:

$ find /home/public_html/arzerin/ -type f -exec chmod 644 {} \;

Change .htaccess files:

# BEGIN WordPress # The directives (lines) between `BEGIN WordPress` and `END WordPress` are # dynamically generated, and should only be modified via WordPress filters. # Any changes to the directives between these markers will be overwritten. RewriteEngine On RewriteBase / RewriteRule ^index\.php$ – [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] RewriteRule ^wp-admin/includes/ – [F,L] RewriteRule !^wp-includes/ – [S=3] RewriteRule ^wp-includes/[^/]+\.php$ – [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L] RewriteRule ^wp-includes/theme-compat/ – [F,L] order allow,deny deny from all # END WordPress

If your Site is WordPress Site, do the following:

A. Manually Update WordPress:

1. Log into your server via SFTP or SSH.
2. Backup your website and database (especially customized content).
3. Manually remove the wp-admin and wp-includes directories.
4. Replace wp-admin and wp-includes using copies from the official WordPress repository.
5. Manually remove and replace plugins and themes with copies from official sources.
6. Log into WordPress as an admin and click Dashboard > Updates.
7. Apply any missing updates.
8. Open your website to verify it is operational.

B. Reset Site Password from Database

C. Set new secret keys in the wp-config.php

Scan Your Website

1. Sucuri Sitecheck (https://sitecheck.sucuri.net/)
2. Google Transparency Check (https://www.google.com/transparencyreport/safebrowsing/diagnostic)
3. Google Webmaster Console (https://search.google.com/search-console/welcome?hl=en)
4. Bing Webmaster (https://www.bing.com/toolbox/webmaster)
5. Yandex Webmaster (https://webmaster.yandex.com/)
6. Norton Safe Web (https://safeweb.norton.com/)

RESOURCE LINK:
https://search.google.com/search-console/welcome?hl=en
https://wordpress.org/support/article/hardening-wordpress/