Hello, I have problem with chattr +i command on my server. Ubuntu 20, Apache2, ispconfig 3. I have locked files with chattr -R +i and when I check everything can’t be edit but on the next day I have codes added on 3 files (everyday the same files) and whole directory and files are not chattr +i how to resolve this problem ? Everyday hackers are adding codes to wp-config.php , index.php and wp-settings.php ? I don’t have active cronjobs
Rather than making it immutable, find the problem. Most likely some script has been altered/added that is being accessed by someone remotely - so no cronjob is needed to run it and then it takes over your server.
they're probably adding code to a lot of other files as well, and in the database. backup everything, including the database, and move that backup to another location. keep a copy of the uploads folder and the database export on that server. wipe out the current site. remove everything. drop and recreate the database. change the webusers ispconfig password, all that web users ftp and ssh passwords, and ssh keys if possible. download fresh copies of the latest versions of wordpress, the theme, and every plugin, directly from the developers, or from wordpress.org. extract the wordpress archive, upload the theme and plugins to wp-content/themes/ and wp-content/plugins. mv wp-config-sample.php to wp-config.php, edit it to contain the correct db details, and put new wp-salts in there. check every file in the saved copy of the uploads folder, once you're sure everythings clean, copy uploads back to wp-content/. check the whole of the database (long, boring tedious process). once you're sure the database is clean, import the database back into mysql. change all wp admin user passwords on that site. install and configure wordfence, set it to regularly scan, log and alert to any changes to any files in the wordpress core, plugins etc.
Of the many things to do/look at, ensure your system is up to date on security patches. Removing the immutable attribute requires root (or appropriate capabilities, but likely just root access), so if that is being done by the hackers, they likely have full root access to your machine. Note there is a recently patched kernel vulnerability which would allow non-root users to write to immutable files, but I don't think it removes the immutable attribute (although the vulnerability could easily be used to gain unfettered root access to do whatever). Personally I would probably be looking to migrate data to a freshly installed/updated/clean server, and try to check the data migrated for backdoors and such.
It's very unlikely that ClamAV can find it, its signatures are not made specifically for website malware. You can try to run ClamAV of course to try it, but the chances that all infected files get found are quite low.
