Pharma Hack comes back nightly at 3am

I had a wordpress installation that I’d left dormant for awhile and have started using again. Awhile ago it had been attacked by a pharma hack and I haven’t really caught up to it until now.

The other day I removed the old wordpress installation and placed version 4.0 on the site. I changed the wordpress install location for the root of the site to a /wordpress/ folder and changed every single ftp/database/user password associated with the website. There wasn’t anything fishy in the old database so I’ve still got my old posts available, but everything else is brand new.

Still, every night at 3am my .htaccess file gets changed and the hacked common.php gets dropped into my root site folder. Nothing else on my site gets changed.

I checked for cron jobs listed in my dreamhost panel and i see nothing. The only thing I have to go on is the .bash_history from when the attack initally happened, here it is

Does anyone know if its possible i have a process running on my host every night that’s adding these files back in?

One thing that you can do is to install RKhunter. It’s a rootkit scanner and I have used this in the past and it caught a bash file at cron that gathers info and sends an email to a mail account daily. Good luck.

I finally set up ssh access and got into my account to see if I could find anything hidden. I managed to find an offending file deep within a separate directory by searching for the eval() code that was running the base64 stuff. This is the terminal code that helped me find it. Hopefully that the end of this.