We have a Laravel 5.6.x application running as a REST backend with PHP 7 on one of our servers. The server uses CentOS with WHM/cPanel/PhpMyAdmin
Recently that server issued a maldet warning (our malware detector) after it saw some strange PHP files appear in the /public folder of the Laravel application. Upon reviewing the files on the server there were several new files not native to our project, including folders like "wp_admin" even though our app is a Laravel app and does NOT use WordPress. They had completely overwritten index.php to look like a WordPress equivalent but with junk code at the top. Other new files like .htaccess seemed to be trying to emulate a wordpress setup.
Unfortunately these junk files have since been deleted by our hosting provider and the account suspended in our attempt to diagnose the problem, otherwise I would provide them. This breaks our app and I am unable to remove some of the remaining files and folders because every time I delete them (the wp_admin folder and .htaccess for example), they reappear immediately, with a timestamp from mid-may 2020. I checked logs and crontables and running processes to see if something was auto-creating things but was unable to find anything that stood out.
I'm very new to the topic of trying to diagnose server vulnerabilities. I understand that very generally speaking the safest thing to do right now would be to nuke it and rebuild, and we may very well do that, but are there any guidelines or pointers the community could give me to help me understand what happened here? To try and prevent it in the future. I checked auth and ftp logs and ran maldet again but to no avail. I dont know where this attack came from, if its a vulnerability of my server setup or PHP or the laravel app or related libraries. Any help or guidance in the right direction to diagnose a situation like this is greatly appreciated. Much thanks.
(This is my first question on security stack exchange, apologies if its off-base)
