When a site gets compromised, one thing we know for sure is that attackers love to leave malware that allows them access back to the site; this type of malware is called a backdoor. This type of malware was named this because it allows for remote control of a compromised website in a way that bypasses appropriate authentication methods. You can update your site, change passwords, along with any of your admin procedures, and the backdoor would still be there allowing unexpected access to an attacker.
Backdoors are also very hard to find because they don’t have to be linked in the site, they can be very small and be easily confused with “normal” code. Some of them have passwords, some are heavily encrypted/encoded and can be anywhere on your site, file system or database.
We have written extensively about website backdoors (generally in PHP) that allow for continuous reinfections and control of hacked websites.
You can read something more about backdoors on these links:
- Ask Sucuri: What about the backdoors?
- Ask Sucuri: Non-alphanumeric Backdoors
- Hiding Backdoors using Cron