Unsolved How can I see what process is updating a file

JaredBusch

Client WP site got blowed up. I didn't set it up.

From what I can tell it was setup on a Vultr by someone using the WP App install method.
Custom theme was setup and their content added.
But nothing was ever updated after the fact. Surprise it was hacked...

Ubuntu 18.04 with Zero updates. No idea what the WP version was, I didn't note it down.

Updated Ubuntu 18.04 to current 18.04.
Blocked SSH.
Updated WP to current.
Removed unused plugins.
Updated all the remaining plugins.
Installed wordfence plugin with subscription.

WordFence cleaned the fuck out of things. All but one issue resolved within WordPress.

The index.php keeps getting overwritten. Immediately upon getting fixed. It also gets a chmod 444 by whatever process is fucking with it.

So I made a new file named index.php.lock with the default contents.
Then I copy it into place and mark set it immutable.

cp index.php.lock index.php && chattr +i index.php

That keeps the file safe and WordFence has no other issues.

But now I want to know where this is coming from so I can make sure it does not come back when I backup and restore this thing to a new instance.

A default WP instance from Vultr has phpmyadmin, cockpit, and XHProf installed. I assume one of these was compromised as WordPress itself seems clean at this point, but I want to be certain..

So I installed fswatch hoping that would help me. Well it shows me the file attempting to get fucked with. But not any details.

# fswatch -v index.php
register_signal_handlers: SIGTERM handler registered.
register_signal_handlers: SIGABRT handler registered.
register_signal_handlers: SIGINT handler registered.
start_monitor: Adding path: /var/www/html/index.php
add_watch: Added: /var/www/html/index.php
run: Number of records: 16 # <-- this one is when I put the right version in place.
preprocess_node_event: Generic event: 1::/var/www/html/index.php
notify_events: Notifying events #: 1.
/var/www/html/index.php
run: Number of records: 48 # <-- repeatedly afterwards. sometimes after a delay.
preprocess_node_event: Generic event: 1::/var/www/html/index.php
preprocess_node_event: Generic event: 1::/var/www/html/index.php
preprocess_node_event: Generic event: 1::/var/www/html/index.php
notify_events: Notifying events #: 3.
/var/www/html/index.php
/var/www/html/index.php
/var/www/html/index.php
run: Number of records: 16 # <-- repeatedly afterwards. sometimes after a delay.
preprocess_node_event: Generic event: 1::/var/www/html/index.php
notify_events: Notifying events #: 1.
/var/www/html/index.php
run: Number of records: 208 # <-- repeatedly afterwards. sometimes after a delay.
preprocess_node_event: Generic event: 1::/var/www/html/index.php
preprocess_node_event: Generic event: 1::/var/www/html/index.php
preprocess_node_event: Generic event: 1::/var/www/html/index.php
preprocess_node_event: Generic event: 1::/var/www/html/index.php
preprocess_node_event: Generic event: 1::/var/www/html/index.php
preprocess_node_event: Generic event: 1::/var/www/html/index.php
# and more and more...

black3dynamite

You can trying using auditd to audit the file.

sudo apt-get install auditd

Running sudo auditctl -l by default show no rules

Create a temporary rule to audit changes to index.php

sudo auditctl -w /var/www/html/index.php -p rwxa
# -p = read, write, execute, attributes

Run sudo auditctl -l will show the rule that was created.
Now run sudo ausearch -f index.php | more to show what's touching index.php
or sudo tail -f /var/log/audit/audit.log | grep index.php.