Unfortunately I am hacked and as a newbie I need any advice to lower the damage. My site was on fresh ubuntu 16 on digitalocean install, with fresh virtualmin installation. My site was using wordpress.
What I did, was to upload wordpress installation(version 4.9.1) to my domain that I recently registered and forget it on installation process for a week. Today visiting my site I saw this:
He somehow completed the installation giving the site title, the title you see above in the image. He used the virtual server’s local database.
Searching google with this title returns a lot of websites. Scanning with sucuri returns this: https://i.imgur.com/NYN1Psy.png
The hack was done 2 days before. This is the print screen of his details used to complete the installation: https://imgur.com/3htJIcp
All my installations was clean and I did not used any plugins anywhere.
Now I disabled the website in virtualmin. I can not find something on other 2 websites hosted on that server. I need to know if the virtual server was hacked or my server completely. Thank you for any advance!
First i want to point out he somehow managed to guess what is the user and password for the DB. That alone is huge problem because this information should not be visible to anyone aside of the VS owner or root. You dont have enough knowledge to clean up infected site let alone to check entire server if he left some backdoor.
Best advice is to manually (!!!) backup other two sites and wipe out entire server. Once done start from beginning by installing OS and Virtualmin. Now the problem is that you dont know if other two sites are infected or not and only way to be even close to 100% sure they are safe is to pay some expert to manually check them, e.g. file by file and then DB. If you dont have money for that i’m afraid that only solution is to build everything from scratch.
Last but not least, if the hacker somehow managed to dig out your DB user and password he will probably do that again. The mistake you didnt first time while installing the OS, Virtualmin and websites have high chance to happen again, so all the work will be for nothing if you dont discover how this happened.
TL;DR If you have money to pay expert to check other two sites good, if not just pay Virtualmin 50$ to properly install and secure your server and two sites in question build again not using any old code or file.
Thank you for helping and I’m sorry for late answer, but I was in hurry to deal with this. I will follow all your advices. I moved the other two websites to paid hosting. Of course I will build the server from scratch. I hope I find how that happened. My problem is that all passwords were generated from virtualmin, only the username for the website in virtualmin was the same with domain and everything was a fresh install. Thank you again.