hacked?

started getting notices that spam is flooding out of my ip. installed maldet, kicked off the scan and walked away. 90 minutes later every browser i try warns me the connection isnt secure when attempting to log into webmin. according to the details provided, my certificate suddenly expired right around the time the scan started.

the maldet scan found some suspicious php items in a wordpress site, btw.

fearing i may have been hacked, im too paranoid to login to investigate why the certificate hasnt auto-renewed monthly as i swear i set it to do. am i crazy?

firefox states:
https://lamp1.antiochtechnologies.com:10000/

Peer’s Certificate has expired.

HTTP Strict Transport Security: false
HTTP Public Key Pinning: false

Certificate chain:

-----BEGIN CERTIFICATE-----
MIIGrjCCBZagAwIBAgISA9ZnNXJwUccp7kozM7Zy6PlcMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjA5MDQwMzAxMDBaFw0x
NjEyMDMwMzAxMDBaMCIxIDAeBgNVBAMTF2FudGlvY2h0ZWNobm9sb2dpZXMuY29t
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyx1TluHH5e5tI1FCIbs7
/LRujEzu5YfxKmS4nn88DEKlYopy9UL3bRXh1Dg7dwajCAZ9HMfSU1X/mxhT2CBb
mzlLG6Ht1ay8I6M4M1Pv0oc8N/aOeeGzri2ksv0SGKyKfVPZb8GTFFcPNuSZ2Lf3
VkTsRFSW/gUPiWxpKNCepaTRxTA0Uuy28SSuUoru2U5JEGCOgeNPvtjfvbnlt/JM
SWXP4Pt1B8YEjdaNKVjs+SxZwxBLt1+SLpCXIRihuwnC6NnSuzgWbbzH0ZT0xlnO
+4AY5mu2qPibU7Br/nRlDNpkcqXND2Io24vSW69rqC1rhl3M0aLtIwpka+Uxrb6b
mIKgSOF7fCBWSDfJ8tQhF0cRigOz9C3u1ckoFPedjzhljOyndjkl7jlMi5tqO0lw
PkjNfxKOIYudCsZtKYt7646QI1uzmnY3rdKAJPXmcxclB7jy/seo33BDttS8DQES
7VL7Oj7v6D0j/Riqk72eA4akg2f7cLSXQMhLbPppAvl2Ww1xP4yrTyt/vKLdCDOe
6Ty0mDwl5Xo1r1l0yNI9xMKyoe6Cgs3QfCPs+M9BSznjt0/7CbWg1WjLxc3Z8pMJ
KeU5joIhbsg/xqwKFJuz2mBauvNrWe+w3kafqiwBsq1TXr2QEGKE4v+egvDi0yHk
wlHbKv8OsVSeseISzirpOBECAwEAAaOCArQwggKwMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV
HQ4EFgQU3aSxdcwLiwSiDTHJsNTy2/Jtb8IwHwYDVR0jBBgwFoAUqEpqYwR93brm
0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBiMC8GCCsGAQUFBzABhiNodHRwOi8v
b2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzAvBggrBgEFBQcwAoYjaHR0cDov
L2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8wgb0GA1UdEQSBtTCBsoIXYW50
aW9jaHRlY2hub2xvZ2llcy5jb22CG2Z0cC5hbnRpb2NodGVjaG5vbG9naWVzLmNv
bYIdbGFtcDEuYW50aW9jaHRlY2hub2xvZ2llcy5jb22CHG1haWwuYW50aW9jaHRl
Y2hub2xvZ2llcy5jb22CHHNtdHAuYW50aW9jaHRlY2hub2xvZ2llcy5jb22CH3dl
Ym1haWwuYW50aW9jaHRlY2hub2xvZ2llcy5jb20wgf4GA1UdIASB9jCB8zAIBgZn
gQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmlj
YXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBh
bmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGlj
eSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzAN
BgkqhkiG9w0BAQsFAAOCAQEAiHTVhI78bow2lsiwayqS1l5UZuzaVgtmrJFv8KVT
YXdBoqWHS2pMZ7D5GmdlfuFU2+ERV/CmfiiwnKEpzufUBBprbjAbEifjzxVdb3+e
dx4lN+jij4PfZTfMvR6DRWiphYJBqCg2/hxygRudGJdtvwc0vhK/x6D6G5FARV+9
6DIyN0k3UbE93un3leBkMb/yTVJdKym20FEesacnH1KGSmHwzxbgPiactEl/RMqf
DQWBzJcam1CSN1kKgNPhS0YwtGZbtyqbFpNOBsJKbfa2zJN6ffmR5Rp1a6fdxkv3
Dh1bLWjeEjVuSa7SjTJiI3VAGt8I4v7sPXBT0t8gSzAapw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

Login via ssh, and have a proper look around. The expired cert doesn’t really provide any useful troubleshooting information.

I usually do an “rpm -Va” to look for suspiciously modified files (this won’t catch a savvy attacker who uses properly packaged files to replace the system files, but I don’t think I’ve ever seen a rootkit use the native package manager to mess around with the system files it modifies, so it may turn something up).

Make sure you’re not running an old kernel with privilege escalation vulnerabilities. Since you know you’ve been compromised on the user side (probably via a WordPress bug), you need to ascertain whether the attacker then had the ability to escalate to something more. A certificate expiring and not being renewed in Virtualmin is probably not strong evidence of that…there’s a lot of reasons that may have failed, either temporarily or permanently.

But, obviously you have to assume the worst until you confirm that the attacker was limited to one user account. If they were unable to escalate to root, then you can easily clean it up and keep the server running; if they escalated to root, you can never trust it again until you’ve formatted and reinstalled your OS, and restored from backups (keeping it offline until you make sure the exploitable condition has been corrected in that WordPress install).