Unauthorized access to cron

by

I was hacked this morning!

Does anyone have an idea of what the entry of the crontab below might mean?

1st They created a dir structure

.rsync/
├── a
│   ├── a
│   ├── anacron
│   ├── cron
│   ├── init0
│   ├── run
│   └── stop

2nd: The executed this cronjob
from: crontab -l

0 */3 * * /home/ftpuser/.nullcache/a/upd>/dev/null 2>&1
@reboot /home/ftpuser/.nullcache/a/upd>/dev/null 2>&1
5 8 * * 0 /home/ftpuser/.nullcache/b/sync>/dev/null 2>&1
@reboot /home/ftpuser/.nullcache/b/sync>/dev/null 2>&1
0 0 */3 * * /tmp/.X17-unix/.rsync/c/aptitude>/dev/null 2>&1

Last: ran all my CPU’s at 100% and sucked all the bandwith from the network.

I killed all associated PID’S to ftpuser and everything went back to normal

Contents hide
Answers:
Method 1

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

You have not solved the problem.

  1. What you found may only be the tip of the iceberg. There are many ways to hide malware. What you could see easily may well be designed to lull you into a false sense of security.
  2. Even if you managed to find all the malware, until you’ve found and plugged the hole it used to get in, it’s likely to reappear.
  3. If you have other people’s data (including but not limited to private identifying information such as email addresses, IP addresses, purchase histories, usage logs, etc.), you need to notify these people of the breach and let them know in what way their data may be compromised. It’s not just a good idea, it’s the law in many places.

You need to take the system down, investigate how the malware got in, and reinstall a clean copy from scratch.

For more information, see How do I deal with a compromised server?.

This does look like some fairly unsophisticated malware. It’s in directories with vaguely plausible names:

  • ftpuser is a user that might concievably exist on some servers whose structure is stuck a decade or two ago. (Authenticated FTP should have been long replaced by SSH including SFTP. Anonymous FTP has been pretty much replaced by HTTP(s).)
  • .nullcache is hidden in some listings. “Nullcache” is a thing in various contexts; while I’m not aware of a tool that uses a .nullcache directory, it’s just plausible enough not to look completely out of place in a directory listing.
  • aptitude is a system administration tool that wouldn’t be out of place in a process listing (on distributions that use it, i.e. Debian and derivatives). sync is a standard utility, but one that doesn’t normally run for long, so while it would be out of place in a process listing, it has a harmless look. upd is not a standard name, but it looks harmless because it looks like it’s short for “update”.
  • anacron and cron are common tools and there are directories with this name on many systems (in /var/spool). init0 is close to init. A run exists in various places (/run, /var/run). stop is uncommon as a directory name, but again not completely out of place.
  • /tmp/.X17-unix is completely implausible, but is visually similar to /tmp/.X11-unix which exists on all systems running the X Window System (X11) which the standard Unix is based on, and many people wouldn’t know that the number 11 is significant.

The cron jobs run various binaries in these vaguely plausible locations at boot time (@reboot), once a week (5 8 * * 0) or roughly every three days (0 0 */3 * *).


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x