hacked index.php file with 444 permissions won’t stay changed

Restore from a backup you made before the hack then close the hole that allowed them to get in to the site in the first place.

If something is changing files, then you are still hacked and you haven’t removed the hack yet. Until you do that, there is no cure.

Thanks, there is no back up.

The goal here is to find the whole now and the hack and fix it.

*hole

How can they have the file be restored with the hacker code the second it’s removed, and the permissions changed?

The only way it can happen in the manner you describe is if something is still running on that machine to prevent changes to the files.

Yeah, I figured that. Thanks. Any idea how to track down what it is?

O.K. great, after a lot of research and some big help, we found how the hack was working.

The code added to the main index page of WordPress was telling PHP-FPM to rebuild the file from it’s cache if it was changed.

1. To remove or edit the file, you first need to disable PHP-FPM.
2. Change or remove the index.php file.
3. Then you can restart PHP-FPM and start doing normal work on the site.

Hope this helps someone.