server hacked – cron continue to run [duplicate]

March 23, 2022 by admin

This question already has answers here:

How do I deal with a compromised server?

(13 answers)

Closed 7 years ago.

Someone accessed my EC2 Ubuntu 14.04 and installed some malicious cron to do port scanning with user eric. I removed user eric and the file executed, but in syslog I see
Sep 19 15:27:01 ip-xxx CRON[9388]: Authentication failure
Sep 14 08:45:01 ip-xxx CRON[9389]: (eric) CMD (/var/tmp/.muh/y >/dev/null 2>&1)
Sep 19 15:28:01 ip-xxx CRON[9389]: Authentication failure
Sep 19 15:29:01 ip-xxx CRON[9391]: Authentication failure
Sep 19 15:30:01 ip-xxx CRON[9392]: Authentication failure
Sep 19 15:31:01 ip-xxx CRON[9526]: Authentication failure
Can anyone tell me how to find the cron installed (crontab is empty)?

Answer

Try one (or two) of these:

chmod 000 /var/rmp/.muh/y (if you want to analyse later)
mv /var/tmp/.muh/y /tmp (move to alternative location)
rm /var/tmp/.muh/y (remove it completely)

then you gotta find where in cron it’s scheduled and remove it.

Attribution
Source : Link , Question Author : LucScu , Answer Author : alexus

Related

Leave a Comment Cancel reply