-5

Someone accessed my EC2 Ubuntu 14.04 and installed some malicious cron to do port scanning with user eric. I removed user eric and the file executed, but in syslog I see

Sep 19 15:27:01 ip-xxx CRON[9388]: Authentication failure
Sep 14 08:45:01 ip-xxx CRON[9389]: (eric) CMD (/var/tmp/.muh/y >/dev/null 2>&1)
Sep 19 15:28:01 ip-xxx CRON[9389]: Authentication failure
Sep 19 15:29:01 ip-xxx CRON[9391]: Authentication failure
Sep 19 15:30:01 ip-xxx CRON[9392]: Authentication failure
Sep 19 15:31:01 ip-xxx CRON[9526]: Authentication failure

Can anyone tell me how to find the cron installed (crontab is empty)?

Dave M
  • 4,494
  • 21
  • 30
  • 30
LucScu
  • 101
  • 5

2 Answers2

0

Try one (or two) of these:

  • chmod 000 /var/rmp/.muh/y (if you want to analyse later)
  • mv /var/tmp/.muh/y /tmp (move to alternative location)
  • rm /var/tmp/.muh/y (remove it completely)

then you gotta find where in cron it's scheduled and remove it.

alexus
  • 12,342
  • 27
  • 115
  • 173
  • /var/tmp/ is already empty PS: why you edit my question and highlight some words? Is usefull for users? – LucScu Sep 19 '14 at 16:23
  • @D.Milito if it's empty, then look wherever it's scheduled from and remove it from there, so it doesn't show up in your `syslog` anymore. – alexus Sep 19 '14 at 16:26
  • i can't find where it is scheduled. this is my problem. – LucScu Sep 19 '14 at 16:29
0

Thx to all give me an hand to resolve my issue and put -1.

And the real thx to http://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/

/var/spool/cron/crontabs/
-rw------- 1   1002 crontab  222 Sep 10 19:13 eric
-rw------- 1 ubuntu crontab 1148 Aug 25 16:44 ubuntu

The hackered account eric put in him crontab

* * * * * /var/tmp/.muh/y >/dev/null 2>&1

Now i could fix it :)

LucScu
  • 101
  • 5