Hope you are all doing well. I have been having serious issues with hackers targeting several wordpress installs on one of our servers. The latest thing they did was upload a script to /tmp and run it which created several processes which 1 of them attached itself to the /sbin/init process ( PPID = 1 ) which meant I had to reboot the server to exit whatever it was doing.
My quick research is pointing at mounting /tmp and possibly /home as noexec. But before I do that I thought I would ask you guys what that might do to the normal operation of Virtualmin/Webmin.
Also, is there a way to set the default shell to /bin/false ?