We will describe a case where the public_html folder was not writable due to malware infecting WordPress, and the permissions could not be changed, making it impossible to remove the malware.
Example of a client’s malware infection
The client’s malware infection situation was as follows.
A large number of malware was installed in the public_html folder of the server’s WordPress site.
The permissions of the public_html folder are 555, 500, etc., which are not writable, so the malware cannot be deleted.
Even if the permission of the public_html folder is set to writable (e.g. 755), the permission is instantly set back to 555, 500, or other non-writable permissions.
Why do the permissions of the public_html folder instantly revert to 555, 500, and other non-writable permissions?
The reason for this is that there is a rogue program resident in the server process or in the public_html folder where WordPress is installed that monitors the write permissions of the folder every time the site is accessed and immediately reverts them if any changes are made.
To remove this resident program, you need to stop the malware itself that runs every time the site is accessed or the following program that runs on the server and is resident in the memory of the process.
shell_exec("ps aux | grep -i php | awk {'print $2'} | xargs kill -9");
*Executing the above program will stop the PHP process, so you may need to restart PHP or restart LAMP as a whole. Please use at your own risk.
The malware itself that is infecting WordPress can also be investigated and detected with a malware scanning plugin.
Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].
