Two weeks ago I started looking at a problem report where some files would disappear every night from a WordPress install.
WordPress had been upgraded from 3.7.x to 3.8 and we were seeing the following files missing:
/wp-admin/css/wp-admin.min.css
/wp-admin/css/wp-admin-rtl.min.css
/wp-includes/js/tinymce/tiny_mce.js
This caused the login page to be unstyled and the visual editor of WordPress to not work at all. Very annoying. But most annoying would be that after a reinstall the next day the problem presented itself again.
I started pursuing possibilities and ruled out the following:
- being caused by the WordPress auto-updater (Disabled the auto-updates and it would still happen).
- being caused by a malicious plugin or theme (Scanned them for malicious code and found nothing).
- being caused by a WordPress cron job (Checked which ones are active and what they do and found nothing).
My best guess at the time was that this was caused by a script that connected via FTP or other port to perform these changes. So I changed the FTP password and expect to confirm or discard this possibility the next morning. Except… same thing happened again.
Some efforts later together with the sysadmin we were able to figure out the root cause of this issue. There was an anti-malware process called “maldetect” running on the machine in order to scan php files and others for suspicious infected files and for some reason this was happening to those files.
“maldetect” was sending an e-mail alert to the admin e-mail address each time it quarantines a file but those messages were being marked as Spam and inadvertently compounded the problem.
Glad to finally nailed this one.