Some process is changing index.php and .htaccess file contents as well as permissions as soon as we change the owner to www-data

Heya,

This means there is a security breach somewhere either in your droplet or in your code from where access is granted. Given that files are being created, I would say it’s somehow getting access to your Droplet.

See if there are any accounts on the Droplet that have access to those files. See if you have any outdated software on your Droplet. Also if you don’t find the source of this even if you make changes now the access to your system will still be there.

You can also try to create a new droplet and migrate only your website there to see if this will resolve the issue. All in all, the best way would be to track down exactly what it’s doing this and stop it’s access but it’s tricky.

Heya, @61cada0754504c92b74676e29079ea

You can use top, htop, or ps to look for processes running as www-data or any unexpected processes:

ps aux | grep www-data ps aux | grep php

• If you see any unfamiliar or suspicious commands, note the PID and inspect their details:

ls -l /proc/<PID> cat /proc/<PID>/cmdline

Also you can use inotifywait to monitor changes in your directories:

sudo apt install inotify-tools sudo inotifywait -m -r /var/www/your-laravel-app --format '%w%f %e' -e modify,create,delete

This will show live updates of which files are being modified or created.

Also look for unauthorized SSH keys or reverse shell scripts:

cat /root/.ssh/authorized_keys 
cat /home/www-data/.ssh/authorized_keys

and check for suspicious files in /tmp, /var/tmp, or /dev/shm.

Hope that this helps!