Jump to content
Dungeon-Dave

Security warning: crond

Recommended Posts

I've recently performed some analysis on a phpmyadmin-related vulnerability that downloads a bot onto an unsuspecting machine. I won't go into details, but sufficient to say that the bot masquerades as a "crond" process - looking at a normal process listing it is able to hide inconspicuously.

 

(I've witnessed this behaviour before, when the bot tried to masquerade as a httpd process - but was running /usr/local/bin/httpd rather than /usr/sbin/httpd so was more quickly spotted.)

 

On my servers, there should be only one crond process, root-owned. This bot tries to run under the apache account (httpd) or a normal user account for those that use suPHP. I wouldn't advise people to stop any crond process without properly analysing what those processes do, but a combination of "lsof -p PID" and "netstat -apn" ought to uncover any nefarious activity.

 

Just be warned! Thought I'd give people a heads-up here.

Share this post


Link to post
Share on other sites

Thanks for sharing. Interesting to see how such attacks actually end up manifesting themselves (and being discovered) -- it's useful knowledge to help spot suspicious behaviour in the future.

Share this post


Link to post
Share on other sites

For further reading, We Wuz Hacked shows that it's nothing particularly new. I do have many measures in place to detect and report on suspicious activity so was able to conduct some analysis in safety - but I can see how many others will be easily taken in, and this isn't something new in the wild either...

Share this post


Link to post
Share on other sites
Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...