Security warning: crond - Printable Version +- Linux-Noob Forums (https://www.linux-noob.com/forums) +-- Forum: Linux Server Administration (https://www.linux-noob.com/forums/forum-8.html) +--- Forum: Security and Firewalls (https://www.linux-noob.com/forums/forum-87.html) +--- Thread: Security warning: crond (/thread-373.html) |
Security warning: crond - Dungeon-Dave - 2011-05-05 I've recently performed some analysis on a phpmyadmin-related vulnerability that downloads a bot onto an unsuspecting machine. I won't go into details, but sufficient to say that the bot masquerades as a "crond" process - looking at a normal process listing it is able to hide inconspicuously. (I've witnessed this behaviour before, when the bot tried to masquerade as a httpd process - but was running /usr/local/bin/httpd rather than /usr/sbin/httpd so was more quickly spotted.) On my servers, there should be only one crond process, root-owned. This bot tries to run under the apache account (httpd) or a normal user account for those that use suPHP. I wouldn't advise people to stop any crond process without properly analysing what those processes do, but a combination of "lsof -p PID" and "netstat -apn" ought to uncover any nefarious activity. Just be warned! Thought I'd give people a heads-up here. Security warning: crond - hybrid - 2011-05-06 Thanks for sharing. Interesting to see how such attacks actually end up manifesting themselves (and being discovered) -- it's useful knowledge to help spot suspicious behaviour in the future. Security warning: crond - Dungeon-Dave - 2011-05-06 For further reading, We Wuz Hacked shows that it's nothing particularly new. I do have many measures in place to detect and report on suspicious activity so was able to conduct some analysis in safety - but I can see how many others will be easily taken in, and this isn't something new in the wild either... |