Budget: 1500 UAH Deadline: 3 days
Good day! I have already cleaned such stories — WP, where a doorway was uploaded and generated pages were piled up. The main thing here is not to sweep the pages but to find out how they got in; otherwise, it will be the same in a week.
If I were doing it for you:
1. I take a copy of the files and a database dump, looking in read-only mode to avoid erasing traces.
2. I search for recently modified files, web shells, eval/base64 injections, rogue mu-plugins, tasks in wp-cron, foreign admins in wp_users, foreign strings in options, .htaccess, and nginx configs.
3. I compare plugins and the theme with clean sources — the vulnerable component is usually the entry point.
4. I clean or help rebuild from clean files, then rotate all keys and passwords and list what to close to prevent recurrence.
Access: SSH (preferably a separate key for this task), site files, and a database dump on the dev server. I will also quickly check the old working site for indicators — both could have been affected.
Estimated time is 2-3 days. I set the price lower than usual because I am gathering my first reviews here, so it is important for me to do it cleanly.
Question: Are there nginx and PHP-FPM logs left from Monday when it was hacked? With them, the entry point is visible much faster than from the files themselves.
I can start with a safe audit without touching anything yet.