Linux-Noob Forums
Security warning: crond - Printable Version

+- Linux-Noob Forums (https://www.linux-noob.com/forums)
+-- Forum: Linux Server Administration (https://www.linux-noob.com/forums/forum-8.html)
+--- Forum: Security and Firewalls (https://www.linux-noob.com/forums/forum-87.html)
+--- Thread: Security warning: crond (/thread-373.html)



Security warning: crond - Dungeon-Dave - 2011-05-05


I've recently performed some analysis on a phpmyadmin-related vulnerability that downloads a bot onto an unsuspecting machine. I won't go into details, but sufficient to say that the bot masquerades as a "crond" process - looking at a normal process listing it is able to hide inconspicuously.

 

(I've witnessed this behaviour before, when the bot tried to masquerade as a httpd process - but was running /usr/local/bin/httpd rather than /usr/sbin/httpd so was more quickly spotted.)

 

On my servers, there should be only one crond process, root-owned. This bot tries to run under the apache account (httpd) or a normal user account for those that use suPHP. I wouldn't advise people to stop any crond process without properly analysing what those processes do, but a combination of "lsof -p PID" and "netstat -apn" ought to uncover any nefarious activity.

 

Just be warned! Thought I'd give people a heads-up here.




Security warning: crond - hybrid - 2011-05-06

Thanks for sharing. Interesting to see how such attacks actually end up manifesting themselves (and being discovered) -- it's useful knowledge to help spot suspicious behaviour in the future.



Security warning: crond - Dungeon-Dave - 2011-05-06

For further reading, We Wuz Hacked shows that it's nothing particularly new. I do have many measures in place to detect and report on suspicious activity so was able to conduct some analysis in safety - but I can see how many others will be easily taken in, and this isn't something new in the wild either...