I have an apache web server that has recently run into an issue lately with the htaccess files. Every day, something attempts to change every htaccess file in every directory. This happens on every domain connected to the ip address.
The first time the file changed, it removed
<Files xmlrpc.php> order deny,allow deny from all </Files>
and replaced it with just
However, this didn’t go through for the non-wordpress sites, it only affected the wordpress site with an xmlrpc.php file. I changed the file permissions to 444 so its read-only now, and since then none of the files have actually changed. Despite this, when I wake up to check the server files, the .htaccess file ALWAYS says they were updated at the exact same time.
Last week I migrated our tech stack. In the process I changed the htaccess file, but I didn’t delete the wordpress files instantly. In that timeframe a vulnerability was probably opened up.
I deleted basically all the wordpress folders/files. That didn’t stop the cpanel from telling me that the htaccess file were updated. At this point I’m wondering if there is a malicious php script on the site thats causing a cron job every 24 hours that just attempts to change htaccess everywhere. That kind of scares me because if the files are all read only, and theyre still being changed, the script probably has root access. I checked the ftp logs, and there hasn’t been any login attempts, I checked access logs, and there wasn’t anything out of the ordinary. I guess there’s a possibility that cpanel is changing the file automatically?
My question is how would I go about trying to find this php script affecting htaccess after I’ve trashed all the wordpress files that would’ve had php code injected into them?
If anyones had a similar issue dealing with wordpress migrations or htaccess file changes constantly let me know!
Source: Ask PHP