Originally Posted by T-Dub116
My customer, runs his entire business on this server, so I am unable to just "Cut my losses and do a clean install"
First of all it took you days to reply. Then you're talking only about combating symptoms in your OP but not the cause. That unfortunately is a good indication of somebody, and I don't know what's the reason, trying to "fix" things (which is supported by your actions like locking down after the fact and re-installing packages). (If you want to see where this is coming from I invite you to search the LQ Linux - Security forum
for forensics / incident response clues.)
So. Let me phrase this differently then:
- Installing this malware required root privileges
: that means it isn't some isolated breach of security but a root compromise
- You may not have a clue when the cracker gained root rights, what s/he installed or siphoned off of the machine (passwords, private keys, any data).
- If you value your business you wouldn't cheat your customer into thinking all is well. It isn't. So deal with it.
So. What to do? Inform your users and client(s). Set up a new machine. Don't recycle system data, passwords of private keys. Harden it properly. Adhere to best practices.
any data (to an intermediate system), separate user data and verify everything before migrating it. Don't allow customers to inject stale software or software of questionable origin including plug-ins, add-ons, themes and whatnot. Ensure auditing is enabled. Remain vigilant always. Respond to alerts in a timely fashion.