ryan, I need some help trying to figure out what kind of attack is happening with my host. I have a single ubuntu server with some wordpress apps, bookstack, roundcube, and tautulli. I've noticed recently that a bunch of "index.php" files have been added to sites in "upload" folders, and that what appears to be system files for the web apps being modified.
(more detail in comments)