Skip to content

File permissions keep reverting after a hack

You set the permissions on index.php (or another file) to 644 in FileZilla. Within seconds they're back to 444 — and the file content has been overwritten too. Replacing the file with a clean copy has the same outcome: it's overwritten again.

This article explains why this happens and how to stop it.

What's happening

This is not an FTP problem and not a permissions problem on your account.

Malicious code is running inside a PHP-FPM worker. The worker stays alive in memory and rewrites files (and resets their mode, usually to 444 so you can't replace them) the moment you change them. From your side, FileZilla looks broken — but really the file is being overwritten and chmod'ed by a PHP process on the server, just after your upload.

Killing the worker stops this. The worker belongs to the FPM pool that serves the site, so the fix is to restart that FPM pool.

After a restore from backup

The same loop can show up right after restoring from a backup, because the backup itself often includes the infected files. Same fix.

Steps

1. Restart the FPM pool

A restart kills every PHP-FPM worker for the pool and starts fresh ones, so the malicious process is gone too. See Restart and reload for both routes to the 'Restart' button.

A 'Reload' is not enough here: it lets the current request finish first, which gives the malware time to rewrite the file and reset its mode before the worker is replaced.

2. Replace the file and set the correct permissions

With the FPM pool restarted, your upload of a clean index.php and the change of permissions to 644 will now succeed and won't be reverted.

Do the same for any other files you've identified as compromised.

3. Check the malware scan results

The cluster runs a daily malware scan (maldet) across UNIX user home directories. Hits appear on the UNIX user page (and on the project page) under 'Malware', with the file path and a 'Last Seen' timestamp. See Malware scanning.

Use the list to find any malicious files you haven't already cleaned up. If you don't, the next request to one of them can start a new worker that rewrites your fixed files all over again — and you're back to permissions reverting.

4. Close the entry point

The malware got in somehow. The most common entry points:

  • An outdated CMS, plugin, or theme.
  • A leaked FTP, SSH, or admin password.

Update the software and rotate any credentials that may have been exposed. If you don't close the entry point, the site will be hacked again — usually within days — and the permissions will start reverting again.