I had a wordpress installation that I'd left dormant for awhile and have started using again. Awhile ago it had been attacked by a pharma hack and I haven't really caught up to it until now.
The other day I removed the old wordpress installation and placed version 4.0 on the site. I changed the wordpress install location for the root of the site to a /wordpress/ folder and changed every single ftp/database/user password associated with the website. There wasn't anything fishy in the old database so I've still got my old posts available, but everything else is brand new.
Still, every night at 3am my .htaccess file gets changed and the hacked common.php gets dropped into my root site folder. Nothing else on my site gets changed.
I checked for cron jobs listed in my dreamhost panel and i see nothing. The only thing I have to go on is the .bash_history from when the attack initally happened, here it is
Does anyone know if its possible i have a process running on my host every night that's adding these files back in?