Somehow WordPress was automatically installed on one of my client’s droplets (or at least the files – I don’t see a WP database) on-top of an existing website (not wordpress). I was able to delete/move most of the files, however there are 2 files and 1 folder which I cannot remove or overwrite even as root. When I try, they are immediately restored. I also cannot change permissions on the affected files, which currently have only read access.
Specifically: public/.htaccess public/index.php public/wp-admin/*
There also seem to be files in the ‘wp-admin’ folder that are also regenerated (perhaps on any web request; not sure). Looking at the contents of the ‘index.php’ file, I also notice a long string of hex code. I don’t know if that is normal for workpress or not. If not, it could be an indication that the system has been hacked.
The server was scheduled for a migration, which according to the history was completed 16 hours ago. I do not know if this is related.
I have no idea how this is possible. Would this be a result of the DigitalOcean “migrate”? Or perhaps a hacker? What would cause files to be locked/auto-restored like that?
Any ideas would be much appreciated. Thank you.
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.