Hey,
The Wordfence config files in my installation seem to get infected far often and that too by the same malware by the looks of it. It appends a massive amount of garbled text (base64 encoded or something) onto the config files for Wordfence. This happens every few days. I’ve attached a screenshot of a file that’s currently infected.
https://imgur.com/x7MqdtT
If needed, you can find the entire text body as a comment on the imgur link provided.
The config files have the following permissions and are owned by www-data:
attack-data.php – 660
config-livewaf.php – 660
config-synced.php – 660
config-transient.php – 660
config.php – 660
GeoLite2-Country.mmdb – 755
ips.php – 660
rules.php – 664
The infection can happen to any of these files that are owned by www-data. All the rest of my files are owned by ubuntu. Those owned by Ubuntu don’t get infected.