Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Can php add cron jobs?

Discussion in 'Security' started by mvandemar, Aug 25, 2015.

  1. mvandemar

    mvandemar Well-Known Member

    Jun 17, 2006
    Likes Received:
    Trophy Points:
    I am cleaning up an infected account of a client, hosting on Hostmonster using their cpanel shared hosting. There are 47 infected sites on the account, mostly Wordpress but a few other cms's as well. One of the symptoms is that there is an executable being written into /var/temp, and then a cron job being set up to call that file every 15 minutes. I get how the scripts are able to write to /var/temp, but should setting up cron jobs like that be possible via php? Or would this mean that the cpanel account itself was most likely compromised?

    I deleted both the file in question and the cron job, and it was re-created the following day. I have as of yet not finished cleaning out all of the infected scripts so if it is possible for scripts to set the cron jobs then obviously that is how it is happening, but I wasn't sure if that was the case or not.


  2. quizknows

    quizknows Well-Known Member

    Oct 20, 2009
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    DataCenter Provider
    I have seen instances where the shell/cpanel password is not compromised, but the crontab was changed by an infected web application. You should 'stat' the /var/spool/cron/$username file to get a timestamp, and consult the domain access logs and other relevant logs.
    mvandemar likes this.
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Apr 11, 2011
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    Hello :)

    Feel free to update us with the outcome after you have finished cleaning out the infected scripts, or let us know if you found anything in the domain access logs.

    Thank you.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice