A virus has surfaced on the hosting server. I inadvertently discovered it while working on the client's layout (html, css, js) on a test site hosted on the server, and noticed the presence of php files in the directory. Initially, I conjectured that perhaps a package within npm generates virus-infected files sporadically during the build process, which then get habitually copied and transmitted to the server. I use gulp as the build tool.

Based on the timestamps, the first stage occurred at 18:00, followed by the second stage at 21:00. It is plausible that I made my updates at 18:00, but they didn't get included in the build (as I had already pushed them to git). A day later, the hosting server crashed with a 500 error code and was utilizing 400 MB of RAM.

The virus masquerades as WordPress files. Although there is a single WordPress site hosted, it has been updated without any plugins, making it unlikely to be the source. Interestingly, when I accidentally tested the site using PageSpeed, it displayed an entirely different website (even though the actual site opens normally).

What type of attack could this be? How can it be remedied, and most importantly, how can we prevent such attacks in the future?

Working on a machine running macOS.

Can SSH be used to establish a connection with the host?
I've encountered a similar issue before. SSH access is essential for streamlined process monitoring.

Establishing an SSH connection can greatly assist in managing and troubleshooting various aspects of the hosting environment. It enables easy tracking of processes, ensuring efficient monitoring and problem-solving. Additionally, SSH access provides a secure way to interact with the host, enhancing overall system administration capabilities.

The following guidelines can assist you in addressing this issue effectively:

Perform a thorough antivirus scan on your device to ensure it has not been compromised and is functioning properly. If necessary, try using alternative antivirus software and, if no threat is detected, temporarily disconnect your computer from the internet or local network before proceeding with the search for the virus.

Check the list of running programs and software on your computer. Access the "Task Manager" section on Windows or "System Monitoring" on macOS to identify any unfamiliar or suspicious programs. Uninstall any newly installed unfamiliar programs or those that cannot be launched.

Review the list of browser extensions to ensure there are no unknown or suspicious ones. Also, examine your browsing history to ensure there have been no visits to questionable websites.

Inspect the history of opened files in the installed programs on your computer; there might be some suspicious activity or files. This information can typically be accessed through the "File" section in most popular programs.

Attempt to detect and remove the virus yourself, or seek assistance from specialists if needed. If you find any malicious files, delete them promptly.

Change passwords for all your accounts as a precautionary measure. If spam emails have been sent from your account, notify your contacts about the situation. If you have entered your banking information on the compromised device, contact your banks immediately to report a potential data leak and prevent any fraudulent activities.

To prevent such situations in the future, adopt secure practices like using strong and unique passwords for your accounts, exercising caution when installing programs from unverified sources, employing a reliable firewall or antivirus software, and consistently updating both programs and antivirus databases.

By following these recommendations and implementing best security practices, you can significantly reduce the risk of compromising your computer's security and, in turn, protect the integrity of your website.

Types of Threats:
There is a multitude of virus types, and let's explore some of the most prevalent ones.

XSS or Cross-Site Scripting involves injecting malicious code onto a victim site's page. Once a user accesses the infected page, the code connects to the server, potentially stealing cookies. XSS poses risks not only to users but can also enable attackers to gain access to the site's control panel by obtaining administrator cookies using JavaScript scripts.

SQL injection is a straightforward method for hacking a website. When working with SQL databases, developers utilize GET and POST methods. If a vulnerability exists on the site, an attacker can exploit it by sending a GET request to the server, gaining unauthorized access to the database. This enables them to manipulate data in various ways, such as downloading, modifying, or deleting it.

LFI or Local File Inclusion refers to the connection and manipulation of local files on the server, with PHP scripts being particularly vulnerable. By manipulating specific parameters within a susceptible file, attackers can gain access to it and exploit it to their advantage. Most commonly, this leads to site hacking, although other scenarios are possible.

Understanding how viruses infect websites can assist in preventing hacks or mitigating their consequences. Several avenues for infection exist.

Vulnerable Code:
Some developers neglect the security of their applications and scripts. PHP sites often fall victim to SQL injections, while other programming languages face their own set of issues. So, maintaining a high level of caution remains crucial, regardless of the language or framework employed for website development.

CMS Vulnerabilities:
Even commercial CMS platforms may contain vulnerable code. The popularity of a particular system can expose its vulnerabilities to hackers. WordPress sites, for example, frequently encounter viral infections due to the widespread adoption of the platform.

Viruses in Plugins, Themes, and Engines:
Malicious code often infiltrates "hacked" themes, engines, and plugins. It is advisable to use licensed applications even if they come at a cost, as attempting to save money could result in more extensive efforts to identify and remove viruses from a compromised site.

Mistakes by Developers:
Even reputable developers can make errors that introduce vulnerabilities. Regular security updates address these issues found in web servers, mail servers like Exim, and other components. Promptly installing these updates is crucial to maintain a secure website.

Malicious Code in Advertisements:
Advertising banners and ads sometimes contain embedded malicious code. While this code does not directly harm the site, it infects users' computers. Thus, being cautious with the advertisements displayed on a website is essential.

Various Methods of Hacking Websites and Introducing Malicious Code:
Websites can be infected automatically or manually. Freelance programmers may leave backdoors on sites as insurance against non-payment. Intruders also utilize backdoors for their malicious activities. It is prudent to carefully select programmers and fulfill obligations. Additionally, brute force attacks, where login and password combinations are systematically guessed, remain an effective method due to many users relying on weak credentials. Mitigating this issue can be as simple as using complex, randomly generated passwords.

Prevention Measures:
Maintain regular software updates, ranging from CMS to web servers. Avoid purchasing unlicensed software and thoroughly vet performers before hiring them. Utilizing complex passwords is vital for enhanced security.

Based on the provided information, it is difficult to definitively determine the type of attack that occurred. However, there are a few possibilities to consider.

1. Server compromise: It is possible that the hosting server itself was compromised, leading to malware being injected into your website's files. This could occur due to vulnerabilities in the server's software or misconfigurations.

2. Code injection: Another possibility is that the virus was injected into your website's files through a vulnerability in your code, such as a form input that allowed for arbitrary file uploads. The virus may have been disguised as PHP files to execute malicious commands on the server.

To remedy the situation and prevent future attacks, there are several steps you can take:

1. Quarantine affected files: Identify the virus-infected files and remove them from the server. Ensure that no backups or copies of these files remain.

2. Update software and plugins: Regularly update all software, including your hosting server, content management system (CMS), and any plugins or dependencies used in your project. Outdated software can contain vulnerabilities that attackers exploit.

3. Review server logs: Investigate server logs to identify any suspicious activities or patterns that might indicate how the attack occurred. This could help inform security measures to implement.

4. Strengthen server security: Review and enhance server security configurations, such as disabling unnecessary services, implementing strong passwords, using firewalls, and following best practices for server hardening.

5. Conduct security audits: Regularly conduct security audits of your codebase to identify and fix any vulnerabilities. Tools like static analysis scanners and penetration testing can help in this regard.

6. Implement web application firewall (WAF): Consider implementing a WAF to filter out malicious traffic and protect your website from common attack vectors. A WAF can help detect and block attacks like code injection and cross-site scripting.

7. Educate and train staff: Ensure that all relevant personnel are educated about secure coding practices and basic cybersecurity hygiene. This includes using strong passwords, avoiding suspicious links and attachments, and being cautious with user input.

8. Regular backups: Implement a regular backup strategy for your website files and databases. This helps ensure that even if an attack occurs, you can restore your website to a known clean state.

9. Secure file permissions: Set appropriate file and directory permissions on your server. Restrict write access to only necessary directories and files, reducing the potential impact of an attacker gaining access to your server.

10. Use secure protocols: Ensure that all communications between your server and clients are encrypted using HTTPS. Use SSL/TLS certificates to establish secure connections, preventing data interception and tampering.

11. Two-factor authentication (2FA): Implement 2FA for accessing your hosting account and CMS. This adds an additional layer of security by requiring a second authentication factor, such as a code generated on a mobile device, along with a password.

12. Regular security monitoring: Monitor your server and website for any signs of suspicious activities or unauthorized access. Deploy intrusion detection systems or security plugins that can alert you to potential threats and provide real-time monitoring.

13. Stay informed about security updates: Keep yourself informed about the latest security vulnerabilities and patches related to the software and tools used in your website. Subscribe to security mailing lists and follow reputable security blogs to stay updated.

14. Security testing and code review: Regularly conduct security testing and code reviews to identify any vulnerabilities or weaknesses in your codebase. This can be done through manual code reviews, automated testing tools, or by engaging professional security consultants.

15. User access management: Restrict user access and privileges to only what is necessary for their roles. Use strong passwords, enforce password expiration policies, and consider implementing mechanisms like account lockouts to prevent brute-force attacks.