12 Jun, 2023

Continuous Reinfection Cycle and Ways to Help Prevent It

Continuous reinfection poses a significant threat to all businesses with websites or blogs. Read on as we explain what it's all about.
The majority of small and medium businesses, 71% to be exact, have an established online presence in the form of websites. Sadly, malicious hackers are exploiting security weaknesses to compromise websites.

This is why your site's security should be extremely robust. Through cPanel Cron Job mechanisms adopted by organizations for task automation, hackers may regain control of your website in a process called the "continuous reinfection cycle."
The Continuous Reinfection Concept
Continuous reinfection refers to hackers' persistent compromise of a website, even after the initial cleanup and security measures. Once a website falls victim to a phishing attack, for instance, attackers often establish backdoors and leave malicious code embedded within the website's infrastructure. These backdoors allow them to regain access, maintain control, as well as continuously reinfect the compromised website.
Common Continuous Reinfection Techniques Used by Hackers on Websites
Sustained reinfection also poses a significant threat to website owners, as hackers employ various sophisticated techniques to maintain persistent control over compromised websites. Understanding these techniques is crucial for developing successful website security.
Let's explore some common continuous reinfection methods employed by hackers in greater detail:

Backdoor Injection
Hackers often exploit vulnerabilities in outdated plugins, themes, or software components to inject backdoors into a website. These backdoors serve as secret entry points that allow hackers to regain access even after the initial cleanup. By hiding malicious code within legitimate files, hackers can maintain control over the compromised website and carry out further attacks.
File Modification
Through malicious bots, hackers may alter important files integral to the website's structure to ensure continued reinfection. They tamper with core files, configuration files, or even legitimate scripts to embed malicious code and establish persistence. By modifying these files, hackers can evade detection and maintain control over the at-risk website.
Database Exploitation
Websites rely on databases to store and manage data. Hackers target vulnerable database systems to insert malicious code or manipulate existing data, enabling them to keep control of the hijacked website. Through database exploitation, hackers can execute commands, alter content, or extract sensitive information, thereby perpetuating the cycle of reinfection.
Payload Delivery
In some cases, hackers use payload delivery mechanisms to continuously infect websites. This involves injecting malicious code that acts as a gateway for delivering additional malware payloads to the website. The injected code may redirect users to malicious websites, download malware onto visitors' devices, or exploit vulnerabilities for further access and control.
Malicious Redirection
Cybercriminals employ various techniques such as phishing, cross-site scripting (XSS), or compromised external resources to redirect users toward harmful websites. These illicit redirects can result in the installation of malicious software, the acquisition of sensitive information, as well as the exploitation of vulnerabilities within the user's system. By continually redirecting users, hackers ensure an ongoing flow of victims and potential opportunities for reinfection.
The Exploitation of Third-Party Integrations
Websites also frequently incorporate third-party services, plugins, or widgets to enhance their functionality. However, hackers exploit vulnerabilities present in these integrations to gain unauthorized access and control over the breached web platform. Once infected, they can manipulate the website's behavior, insert malicious code, or utilize the compromised integration as a launching point for subsequent attacks.
Continuous Reinfection Through the cPanel Cron Job Mechanism
Hackers leverage the cPanel cron job mechanism to establish a sustained reinfection cycle. They schedule malicious scripts to run at specific intervals using cron jobs. This allows them to reinstall malware, modify files, as well as execute other malicious activities even after the initial cleanup. By exploiting the legitimate functionality of cron jobs, hackers maintain persistence and evade detection.
What is the cPanel Cron Job Mechanism?
The cPanel Cron Job mechanism allows you to automate your website's tasks and schedule scripts to run at predetermined intervals. The webmaster may configure cron jobs through the cPanel interface by specifying the desired schedule, the command to execute, and any additional parameters. Cron jobs are also versatile and serve a wide range of purposes in website management. Some common use cases include:
  • Updating website content on a regular basis, such as blog posts or product listings.
  • Generating backups of website files and databases.
  • Automating maintenance tasks, such as clearing temporary files or optimizing database tables.
  • Scheduling email notifications and alerts.
  • Running security scripts to scan for vulnerabilities or malware.
cPanel Cron Jobs in the Reinfection Cycle
According to Verizon research, SMEs account for more than 40% of all cyber-attacks, and perpetrators use a variety of creative ways to gain unauthorized access, including cron jobs. Black hat hackers exploit the functionality of cron jobs to establish a mechanism for continuous reinfection, but how exactly does the cycle begin? Let's consider a scenario where a website owner successfully detects and eliminates malware. They may believe the issue has been resolved, and the website is completely secure.

However, without the webmaster's knowledge, the previous hacker may have secretly established a malicious cron job on the cPanel, a control panel used for website management. This cron job is configured to run at regular intervals. Its primary purpose is to reinstall the malware or make alterations to critical files, thereby initiating a cycle of reinfection. When the scheduled time arrives, the cron job triggers the execution of the hacker's malicious script.

Once the malicious script is activated, it can perform various harmful actions. This can include downloading additional malware, modifying website files, or engaging in other malicious activities. Consequently, the website becomes compromised once more, perpetuating the reinfection cycle.

Real-life example of such a cyber attack
Let's have a look at the recent cyber attack that was remediated by our cybersecurity experts at ThreatSign. Below is a breakdown of malicious artifacts with explanations.
1 - Infected .htaccess file.
2 - Content of radio.php
3 - The cPanel cron job is responsible for the reinfection as discovered by malware researchers during the website malware cleanup process.
The injected cronjob downloaded the malware dropper (xxxd) from hello[.]hellodolly777[.]xyz, executed it with the following arguments (xxxd /home1/dummyXYZ/public_html/a22540 24) and then removed it from the website.
After further investigation, the following domains were found related to this attack:
  • hellodolly666[.]xyz
  • hellodolly777[.]xyz
  • hellodolly888[.]xyz
  • hellodolly999[.]xyz
Malware infection source and cleanup
The infection source was found in the customer’s home equipment (PC or laptop) was infected by keylogger malware which actually stole the password to cPanel and used it continuously to reinject cronjob data for further website reinfection. Changing the password didn’t help as the keylogger was able to get the new password during the update. The cleanup process required the customer to scan home equipment and clean all malware installed there.
Key Factors Behind Continuous Reinfection
A few essential aspects contribute to the successful execution of continual reinfection via cron jobs, and effectively combating them will prevent malicious attacks. These primarily consist of the following:

  • Inadequate Security Measures. If website owners fail to implement robust security measures, such as regular updates, strong passwords, as well as web-based firewalls, hackers can easily exploit vulnerabilities and gain unauthorized access to the website.

  • Lack of Monitoring and Detection. Website owners may be unaware of ongoing reinfection attempts without proper monitoring and detection software such as an Intrusion Detection and Prevention System (IDPS). Constant monitoring also allows for the timely identification of suspicious activities and immediate response.

  • Insufficient Cleanup Procedures. Inadequate cleanup procedures after a hacking incident can leave remnants of malicious code or backdoors, allowing hackers to reinfect the website through cron jobs.
Empower Your Business with ThreatSign’s Website Security Expertise
Continuous reinfection through cPanel cron jobs poses a significant threat to all businesses with websites or blogs. By understanding the concept of perpetual reinfection and the role of cron jobs in enabling continued access, website owners can take proactive measures to protect their websites from malware.

We value the integrity and security of your website, and as such, ThreatSign! offers the leading website anti-malware solutions that specialize in the detection of web-based threats. Our website security products are specifically tailored towards small and medium-sized businesses, and our best offerings include:

Partner with us today and establish a robust cybersecurity risk management strategy to ensure hacking does not disrupt your business operations again!