cannot delete folders in public_html

[jsox79]

wordpress site was hacked, i cleanse the site and find the same folders have magically reappeared. i check access logs, no one has access ftp http ssh except me. how are these folders reappearing and how can i prevent it. ive already changed all passwords including mine 10 times. any help would be appreciated.

the folders in question that reappear, are wordpress/ iJ/ and any wp- folder. No matter how many times i delete them they reappear instantly. if i delete public_html it reappears with all files instantly.

i dont understand how this is happening, i dont see any crons either. its instantaneous so it cant be a cron. any help is greatly appreciated

 

[goodbot]

I'm trying to better understand "instantly"... do you see the rm'ed files folders disappear momentarily (as if rm is working), and then they reappear a few moments later (if so - how many moments later?)... or instead... do you not see the files/folders disappear at all... as if the rm command is not working? Also... is the rm command working in other folder areas outside of these affected WordPress locations? Are you able to normally remove files and folders elsewhere in the system? Is only this one sole folder (and it's higher up public_html) so affected with this "instant" return?

 

[cPanelLauren]

Hi @jsox79

Can you tell us how you're removing the directories as well?

 

[jsox79]

Thanks for the replies guys, i was just coming back to announce it resolved.
It literally was rm -rf public_html/, it would disappear, then ls and it was right back.
Some how they had created a PHP-FPM process, and it was running a script to monitor the folder in realtime and replace the files if they were not there. now probably keep this in mind for anyone else, i figured out changing ownership of the folder or permissions disabled its ability to its job. From there it was tracking down process under the username it was using. this proved difficult. as it would not show up running ps -aux | grep username, it was masking itself in real time. i ended up using a gui based process manager(htop) to view on one terminal screen while i executed the rm on another. and it revealed itself and its pid briefly. saw it was running in a fpm pool and just killed the proc. having already removed access to the site and removing the kit he was using i was able to terminate the process by pid and that was it. this was a new customer who had just migrated their site over. we found the malware instantly once moved, but the backdoors it left behind were quite impressive and were not detected by any scanners.

 

[si-0]

Hi
jsox79

This info above is very good. Im having the same problem. With a folder in my wp uploads area coming back after i delete it. as soon as i refresh the file manager its back. if i rename the folder and delete it. It comes back with the new renamed name. i set file permissions with 0000 etc with the same result. using file manager. with in cpannel.
could you please go into more deatail on how you removed the PHP-FPM process. the site was previous infected with mailware. removed and cleaned but it keeps coming back. any help or advice would be many thanks. Just a hobbiest who has a few sites for friends and family. I have premium wordfence installed but does not detect it. i was updating .htaccess files when i come across it. It stood out as i know the wp-filemanager-pro plugin has bad vulnerabilities an i never installed it. Also plugins dont live in the uploades folder. The folder that was been created had with FM_Backup and index.html and index.php inside.

 

[princesss.v]

Hi, I'm having the same problem too. I would like to know more details about how was it sorted. Thank you

 

[cPRex]

@princesss.v - can you get us more details about your specific situation? This thread is over 2 years old.

 

[JoseDieguez]

Hi, I'm having the same problem too. I would like to know more details about how was it sorted. Thank you

if you have already deleted everything, changed FTP and Cpanel password, and a folder or file has appeared again, check your cronjobs