server hacked - cron continue to run

Question

Someone accessed my EC2 Ubuntu 14.04 and installed some malicious cron to do port scanning with user eric. I removed user eric and the file executed, but in syslog I see

Sep 19 15:27:01 ip-xxx CRON[9388]: Authentication failure
Sep 14 08:45:01 ip-xxx CRON[9389]: (eric) CMD (/var/tmp/.muh/y >/dev/null 2>&1)
Sep 19 15:28:01 ip-xxx CRON[9389]: Authentication failure
Sep 19 15:29:01 ip-xxx CRON[9391]: Authentication failure
Sep 19 15:30:01 ip-xxx CRON[9392]: Authentication failure
Sep 19 15:31:01 ip-xxx CRON[9526]: Authentication failure

Can anyone tell me how to find the cron installed (crontab is empty)?

score 0 · Answer 1 · answered Sep 19 '14 at 16:20

0

Try one (or two) of these:

chmod 000 /var/rmp/.muh/y (if you want to analyse later)
mv /var/tmp/.muh/y /tmp (move to alternative location)
rm /var/tmp/.muh/y (remove it completely)

then you gotta find where in cron it's scheduled and remove it.

answered Sep 19 '14 at 16:20

alexus

13,667

LucScu · Accepted Answer · 2014-09-19T17:20:42.880

0

Thx to all give me an hand to resolve my issue and put -1.

And the real thx to http://www.cyberciti.biz/faq/how-do-i-add-jobs-to-cron-under-linux-or-unix-oses/

/var/spool/cron/crontabs/
-rw------- 1   1002 crontab  222 Sep 10 19:13 eric
-rw------- 1 ubuntu crontab 1148 Aug 25 16:44 ubuntu

The hackered account eric put in him crontab

* * * * * /var/tmp/.muh/y >/dev/null 2>&1

Now i could fix it :)

edited Sep 19 '14 at 17:20

answered Sep 19 '14 at 16:48

LucScu

101

server hacked - cron continue to run

2 Answers2