ShopSecurity - Suspicious crontab entries

We recommend having a shop that is (potentially) infected with malware checked by experienced developers or security companies.

Since 2021, malware has increasingly been stored not only in the file system, but also hidden within the crontab. The crontab is the system's internal list of all cron jobs, i.e., the processes that are regularly executed in the background. In this way, the malware attempts to evade common scanners and human control, because often only the file system is checked.
The malicious code itself is not necessarily immediately recognizable in the crontab, because obfuscation tactics are used.
Further details (in English) on crontab malware are also provided by our partner Sansec.

If corresponding entries are found on your system, it is very likely that there is more malware in your cluster. We therefore recommend that you thoroughly check all applications and databases on the cluster.

Malware cron jobs usually ensure that a malware process is always running in the cluster. Therefore, all running processes should also be checked.

Solution: Checking the crontab

You can edit the contents of the crontab in an SSH console using the command crontab -e.

In addition, the cluster's Managed Center displays all active cron jobs under Cron jobs.

Cron jobs that you did not create should be deleted in any case. If you are unsure, deactivate a suspicious cron job and then consult your agency or our support team if necessary.

It is also advisable to check the cluster's running processes—the cron job may have started a process during its last execution, which should also be terminated.

Further recommendations for action

Please also check our general malware recommendations.