Hello, i manage linux apache webserver with a few wordpress blogs and from time to time i see someone inject a malicious .php file into wp-content/uploads/2014/10/ directory. i think its some bad plugin or theme, but these is more blogs, i ugrade, update, WP, but please advice me how can i setup some monitor to tell me which php file (or even line in php file) injected that malicious .php ? I have linux root access so i can setup anything
Hackers like to stick in back doors so they can regain access to an account if the main exploit code is found. You may have more than one place where hackers are getting in. In such a situation, it is best to change all of your account passwords, back up your files (and database) and install all files fresh using files you know for certain are not compromised. You don't have to reinstall your database, but you should check the posts table and look for any encoded/obfuscated data, iframes, and malicious javascript. Also, are you using any plugins? Insecure plugins are often used as attack vectors. I don't know what logs are available to monitor activity to see who is doing what. If they have access to your account, they could delete any log file entries anyway. http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/Wordpress-Wordpress.html
Thx for the tips, hacker injected new malicious file into wordpress root directory while i set this directory permission to 555 (no write bit, 7) and set random hosting account password from within server control panel via HTTPS connection. THen when file was injected i see wordpress root folder permission is back to 755, its strange.. When looking PHP info page, i found no "chmod" occurence.