The last 24 hours has been a huge misery. One of our server was compromised, it looks like two WordPress sites were hacked, not sure exactly how. We have been working around the clock. The sites started to create 10's of thousands of email files, though they were not successfully sent. In the end after hours of battling the hack we only got it to stop by completely deleting Dovecot. Now that we have reinstalled it the few legit emails in Postfix spool folder are going nowhere because it can't find a mail transport. Any suggestions on how to get it working again. In the years we have used the control panel this is the worst thing that has ever happened to us. We deleted the two sites and when they are restored they immediately start to create email files again. Unfortunately, while there are WordPress plugins that scan for viruses, they all seem to depend on WordPress running and we cannot afford to let them run, not even for a short time. We wish there was some way to scan for files without WordPress running. What a mess. There are just too many files in a WordPress site to find out where the hack is and we have not really had to before now.
Hacked via WordPress