Unsolved How can I see what process is updating a file
-
Client WP site got blowed up. I didn't set it up.
From what I can tell it was setup on a Vultr by someone using the WP App install method.
Custom theme was setup and their content added.
But nothing was ever updated after the fact. Surprise it was hacked...Ubuntu 18.04 with Zero updates. No idea what the WP version was, I didn't note it down.
Updated Ubuntu 18.04 to current 18.04.
Blocked SSH.
Updated WP to current.
Removed unused plugins.
Updated all the remaining plugins.
Installed wordfence plugin with subscription.WordFence cleaned the fuck out of things. All but one issue resolved within WordPress.
The
index.php
keeps getting overwritten. Immediately upon getting fixed. It also gets achmod 444
by whatever process is fucking with it.So I made a new file named
index.php.lock
with the default contents.
Then I copy it into place and mark set it immutable.cp index.php.lock index.php && chattr +i index.php
That keeps the file safe and WordFence has no other issues.
But now I want to know where this is coming from so I can make sure it does not come back when I backup and restore this thing to a new instance.
A default WP instance from Vultr has phpmyadmin, cockpit, and XHProf installed. I assume one of these was compromised as WordPress itself seems clean at this point, but I want to be certain..
So I installed
fswatch
hoping that would help me. Well it shows me the file attempting to get fucked with. But not any details.# fswatch -v index.php register_signal_handlers: SIGTERM handler registered. register_signal_handlers: SIGABRT handler registered. register_signal_handlers: SIGINT handler registered. start_monitor: Adding path: /var/www/html/index.php add_watch: Added: /var/www/html/index.php run: Number of records: 16 # <-- this one is when I put the right version in place. preprocess_node_event: Generic event: 1::/var/www/html/index.php notify_events: Notifying events #: 1. /var/www/html/index.php run: Number of records: 48 # <-- repeatedly afterwards. sometimes after a delay. preprocess_node_event: Generic event: 1::/var/www/html/index.php preprocess_node_event: Generic event: 1::/var/www/html/index.php preprocess_node_event: Generic event: 1::/var/www/html/index.php notify_events: Notifying events #: 3. /var/www/html/index.php /var/www/html/index.php /var/www/html/index.php run: Number of records: 16 # <-- repeatedly afterwards. sometimes after a delay. preprocess_node_event: Generic event: 1::/var/www/html/index.php notify_events: Notifying events #: 1. /var/www/html/index.php run: Number of records: 208 # <-- repeatedly afterwards. sometimes after a delay. preprocess_node_event: Generic event: 1::/var/www/html/index.php preprocess_node_event: Generic event: 1::/var/www/html/index.php preprocess_node_event: Generic event: 1::/var/www/html/index.php preprocess_node_event: Generic event: 1::/var/www/html/index.php preprocess_node_event: Generic event: 1::/var/www/html/index.php preprocess_node_event: Generic event: 1::/var/www/html/index.php # and more and more...
-
You can trying using auditd to audit the file.
sudo apt-get install auditd
Running
sudo auditctl -l
by default show no rulesCreate a temporary rule to audit changes to index.php
sudo auditctl -w /var/www/html/index.php -p rwxa # -p = read, write, execute, attributes
Run
sudo auditctl -l
will show the rule that was created.
Now runsudo ausearch -f index.php | more
to show what's touching index.php
orsudo tail -f /var/log/audit/audit.log | grep index.php
.