Someone accessed my
EC2
Ubuntu
14.04 and installed some maliciouscron
to do port scanning with usereric
. I removed usereric
and the file executed, but insyslog
I seeSep 19 15:27:01 ip-xxx CRON[9388]: Authentication failure Sep 14 08:45:01 ip-xxx CRON[9389]: (eric) CMD (/var/tmp/.muh/y >/dev/null 2>&1) Sep 19 15:28:01 ip-xxx CRON[9389]: Authentication failure Sep 19 15:29:01 ip-xxx CRON[9391]: Authentication failure Sep 19 15:30:01 ip-xxx CRON[9392]: Authentication failure Sep 19 15:31:01 ip-xxx CRON[9526]: Authentication failure
Can anyone tell me how to find the
cron
installed (crontab
is empty)?
Answer
Try one (or two) of these:
chmod 000 /var/rmp/.muh/y
(if you want to analyse later)mv /var/tmp/.muh/y /tmp
(move to alternative location)rm /var/tmp/.muh/y
(remove it completely)
then you gotta find where in cron
it’s scheduled and remove it.
Attribution
Source : Link , Question Author : LucScu , Answer Author : alexus