I've been hacked and I can't figure out how
I support a small display only website for a friend on AWS. Today she let me know it wasn't running. I ssh'ed in and found a few files had been changed, but not in a competant manner. They were mostly .php files that had garbage in them. Most notably index.php which was not functional. Wordpress is up to date as are all plugins that I use as well as the one theme. Unused themes and plugins were removed.
There are only four passwords into the system. The two Wordpress accounts have 20 char random strings for passwords. I don't think you could do the damage that was done from Wordpress anyway. The AWS account has 2fa. The ssh login uses a .pem file.
The only hint of what happened that I could find was that embedded in the faulty index.php file was the cryptic URL zeura.com and an attempt to access the website in the logs from a Microsoft owned IP in Singapore the day after the changes were made. Any ideas on how this could have been done?