wp-config "changed"

After someone exploited the thumb exploit on our server over the winter, and the ensuing hours of clean up, I addded an automated script to watch for file changes (good and bad). It’s worked pretty well, it’s very simplistic, nothing over-the-top.

But a little while back it started to consistently message me saying that ‘wp-config’ had been modified. But when I FTP in and look at the file’s last modification date, it’s modified date is “old” and not within the parameters I’ve set to look for. I also have checked it against a back up config and have found nothing amiss…

So I was wondering if anyone had any insight into why this false flag would be thrown so consistently.