Someone accessed my EC2
Ubuntu
14.04 and installed some malicious cron
to do port scanning with user eric
. I removed user eric
and the file executed, but in syslog
I see
Sep 19 15:27:01 ip-xxx CRON[9388]: Authentication failure
Sep 14 08:45:01 ip-xxx CRON[9389]: (eric) CMD (/var/tmp/.muh/y >/dev/null 2>&1)
Sep 19 15:28:01 ip-xxx CRON[9389]: Authentication failure
Sep 19 15:29:01 ip-xxx CRON[9391]: Authentication failure
Sep 19 15:30:01 ip-xxx CRON[9392]: Authentication failure
Sep 19 15:31:01 ip-xxx CRON[9526]: Authentication failure
Can anyone tell me how to find the cron
installed (crontab
is empty)?