I have some problems with our XenForo installation for few last weeks. Looks like it became a target of hackers/spammers. I've installed few addons to fight spam but I have no idea how change of root `index.php` script could be done.
For 2 times already it was prefixed with some malicious code to redirect a visitor who visits the forum for the first time to a 3rd-party fishing site.
I've done auth log analysis on server and see that noone except me on my laptop from well-known IP was logged in. So the question is how could one change contents of `index.php` without SSH server access ever?
Admin log found in XenForo control panel is fine too: no traces of any suspicious actions.
For now I changed file-based permissions to disallow write from any user, including web-server user. But it's a kind of work around which breaks upgrade process, shut ups the problem instead of solving it, etc.
Does anybody have an idea?