I had a Wordpress site infected by the AnonymousFox malware.
- I've cleaned / removed all affected files.
- I've removed the cron job which was set to reinfect the system.
- I've removed extra DB accounts.
- I've removed infected Wordpress plugins.
- I've removed malicious email addresses.
At this point, I thought I was rid of this AnonymousFox - however when I try to edit or delete the site index.php file, it is immediately overwritten / recreated with 444 permissions.
I've checked the running processes on the server and found none of them to be executing PHP files. I do not see any processes which seem malicious. I assume, however, that there must be a process on the server which is constantly recreating this index.php file.
How can I identify what is recreating this file and stop it?
