Hello, I am getting hacked again and can't find the root cause. The problem is they create files with old dates. For example tonight they created new files with date from June, so it is extremely hard to find the root cause. Any ideas? Code: total 260 -rw-r--r-- 1 www-data www-data 436 Mar 15 2017 wordfence-waf.php -rw-r--r-- 1 www-data www-data 1849 Jan 12 2019 9wes6ruv.php -rw-r--r-- 1 www-data www-data 4764 Feb 27 2019 wp-trackback.php -rw-r--r-- 1 www-data www-data 2283 Feb 27 2019 wp-comments-post.php -rw-r--r-- 1 www-data www-data 369 Feb 27 2019 wp-blog-header.php -rw-r--r-- 1 www-data www-data 1849 Jun 11 02:36 4b37qwwg.php -rw-r--r-- 1 www-data www-data 1932 Jun 15 10:33 jshd26r4.php -rw-r--r-- 1 root root 58 Aug 4 11:30 ads.txt -rw-r--r-- 1 www-data www-data 1849 Aug 7 00:43 124wumo1.php -rw-r--r-- 1 www-data www-data 1932 Sep 19 17:45 jnv96d4x.php -rwxr-xr-x 1 www-data www-data 3155 Oct 31 19:32 wp-config.php -rwxr-xr-x 1 www-data www-data 420 Nov 2 23:30 index.php -rwxr-xr-x 1 www-data www-data 3150 Nov 15 19:08 xmlrpc.php -rwxr-xr-x 1 www-data www-data 3235 Nov 15 19:08 wp-config-sample.php -rwxr-xr-x 1 www-data www-data 31112 Nov 15 19:08 wp-signup.php -rwxr-xr-x 1 www-data www-data 19120 Nov 15 19:08 wp-settings.php -rwxr-xr-x 1 www-data www-data 8483 Nov 15 19:08 wp-mail.php -rwxr-xr-x 1 www-data www-data 3326 Nov 15 19:08 wp-load.php -rwxr-xr-x 1 www-data www-data 2504 Nov 15 19:08 wp-links-opml.php -rwxr-xr-x 1 www-data www-data 6939 Nov 15 19:08 wp-activate.php -rwxr-xr-x 1 www-data www-data 7616 Nov 15 19:08 readme.f08a4e343409e1e211811f9381210307.html -rwxr-xr-x 1 www-data www-data 19935 Nov 15 19:08 license.txt -rwxr-xr-x 1 www-data www-data 17935 Nov 15 19:08 licencia.txt drwxr-xr-x 20 www-data www-data 12288 Nov 15 19:08 wp-includes drwxr-xr-x 9 www-data www-data 4096 Nov 15 19:08 wp-admin -rwxr-xr-x 1 www-data www-data 47007 Nov 15 19:08 wp-login.php -rwxr-xr-x 1 www-data www-data 3955 Nov 15 19:08 wp-cron.php drwxr-xr-x 14 www-data www-data 4096 Dec 7 10:46 wp-content
Examine web server logs. You seem to use Wordfence, I think that can also show what is happening. Are your Wordpress, Wordfence, plugins and all themes updated
Also check FTP server logs. I your place I would shut down that site for maintenance, maybe stop web server or place index.html in the website root. And stop ftp server. Then check the updates for all things on that website and also on the operating system. Then change all passwords to at least 12 character long random strings. All passwords mean for that website: FTP user password, database password, control panel password if you have that, wordpress user passwords, shell user password. Maybe even root user password. Remove the files cracker added, and also check database for malicious stuff added. There is for example this: https://ispprotect.com/ More such tools can be found with Internet Search Engines. After maintenance is completed, start the website again and keep following ftp and web server logs for suspicous activity. Consider using fail2ban to block password guessing attempts.
I have like 12 websites on that server, so not so easy to do... Not sure it is a passwords thing as they are all already very strong.