WordPress has an FAQ in serveral languages: “My site was hacked!” that has many tips and links.
- Ensure that the most current secure release of WordPress is being used.
- Ensure that the latest release of Joomla is being used.
- Ensure that the most current Drupal version is being used.
If TYPO3 is being used, ensure that the most current version of it is being used.
- XBL/CBL is also detecting and listing IP addresses with StealRat infections.
- The CBL website offers assistance to help find the problem, fix it, and then prevent it from happening again.
- CBL also mentions the “ebury SSH rootkit”, a sophisticated Linux backdoor. It is built to steal OpenSSH credentials and maintain access to a compromised server. Suggested reading regarding ebury: