Security warning: crond

[Dungeon-Dave]

I've recently performed some analysis on a phpmyadmin-related vulnerability that downloads a bot onto an unsuspecting machine. I won't go into details, but sufficient to say that the bot masquerades as a "crond" process - looking at a normal process listing it is able to hide inconspicuously.

 

(I've witnessed this behaviour before, when the bot tried to masquerade as a httpd process - but was running /usr/local/bin/httpd rather than /usr/sbin/httpd so was more quickly spotted.)

 

On my servers, there should be only one crond process, root-owned. This bot tries to run under the apache account (httpd) or a normal user account for those that use suPHP. I wouldn't advise people to stop any crond process without properly analysing what those processes do, but a combination of "lsof -p PID" and "netstat -apn" ought to uncover any nefarious activity.

 

Just be warned! Thought I'd give people a heads-up here.

[hybrid]

Thanks for sharing. Interesting to see how such attacks actually end up manifesting themselves (and being discovered) -- it's useful knowledge to help spot suspicious behaviour in the future.

[Dungeon-Dave]

For further reading, We Wuz Hacked shows that it's nothing particularly new. I do have many measures in place to detect and report on suspicious activity so was able to conduct some analysis in safety - but I can see how many others will be easily taken in, and this isn't something new in the wild either...