LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-15-2006, 10:03 AM   #1
jim656
LQ Newbie
 
Registered: Nov 2005
Posts: 9

Rep: Reputation: 0
backdoor as CRON


in our server, we found suspicious process named as CROND,sometimes it spawns many CROND. I am wondering whether it is a known backdoor? and how to dispose this dirty CROND? Thanks in advance.
 
Old 02-15-2006, 10:38 AM   #2
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,011
Blog Entries: 5

Rep: Reputation: 787Reputation: 787Reputation: 787Reputation: 787Reputation: 787Reputation: 787Reputation: 787
crond is the cron daemon. It is used for scheduling tasks you've defined in crontab or other cron files.

man crond

man cron

man crontab

will all give you more info.
 
Old 02-15-2006, 11:11 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,462
Blog Entries: 54

Rep: Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899
@jlightner: crond is the cron daemon.
That's nice, but it is only a definition. He is having suspicions. Suspicions should not be countered by a definition but with a method that can help verify the running process. Care to add one?
 
Old 02-15-2006, 11:22 AM   #4
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,011
Blog Entries: 5

Rep: Reputation: 787Reputation: 787Reputation: 787Reputation: 787Reputation: 787Reputation: 787Reputation: 787
It seemed clear to me from his post that he didn't know what the cron daemon was so suspected it was a virus for that reason alone. Therefore posting a definition seemed appropriate.

Also I did indicate there were man pages that would give him more information. Trying to troubleshoot a "virus" when all he can really say is he has a crond running would be rather difficult. Once he's reviewed them if he still has questions he can post.

If you look through past postings by me you'll see I do usually post more than definitions and even answer follow up questions when asked.

I note you yourself didn't answer his question.
 
Old 02-15-2006, 01:39 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,462
Blog Entries: 54

Rep: Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899
I note you yourself didn't answer his question.
The problem is the assumption that when something looks, talks and walks like crond, it probably is crond. It is kinda easy to hide an app in plain sight by changing value for argv[0] (some processes change it legitimately, though only partially AFAIK). A process listing could give it away but only if you use the right switches and look hard. One way could be to check the output from lsof for something like unusual opened or deleted files, unusual binary locations etc, etc. then proceed to verify the binaries' checksum in /proc with a known good (mirrored) package or from a filesystem integrity database. This example is only meant to give an idea, it's not flawless because it:
- can't find anomalies if processes are hidden using advanced techniques,
- relies on RPM,
- checks against a local database
- and probably gets skewed results due to prelinking, so YMMV(VM):
Code:
/usr/sbin/lsof -n -t | xargs -iE ls -al /proc/E/exe 2>/dev/null|awk '{print $NF}'|grep -v proc | while read bin; do
package=($(rpm -qf $bin)); case "${#package[@]}" in 1) sum=($(rpm -q --dump $package | grep -m1 $bin)); 
chk=($(md5sum $bin)); if [ "${sum[3]}" != "${chk[0]}" ]; then echo "WARNING: ${bin}: SUM ERROR "${sum[3]}" \
"${chk[0]}""; fi;; *) echo "WARNING: ${package[@]}";; esac; done

In short: don't assume but try to make certain. That's all.
 
Old 02-15-2006, 02:15 PM   #6
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,011
Blog Entries: 5

Rep: Reputation: 787Reputation: 787Reputation: 787Reputation: 787Reputation: 787Reputation: 787Reputation: 787
One has to make assumptions based on what is posted. As I indicated the main thing I got out of the original post was that the user did not know the purpose of crond and wanted to know if it was a known virus which it is not. As you correctly state it is possible to make a known process into a virus but the user IMHO had not provided any reasoning to suggest it was a virus.

The great thing about the forums is that multiple people can give their input. You've now given yours and hopefully the user has enough to work with and if not at least will be able to provide enough additional information for further suggestions.
 
Old 02-15-2006, 08:57 PM   #7
jim656
LQ Newbie
 
Registered: Nov 2005
Posts: 9

Original Poster
Rep: Reputation: 0
uuSpawn: your explanation make sense. normal process is lowercase, in process list,CROND is uppercase. I post screen display as below:

[root@market root]# ps aux | grep -i cron
root 1140 0.0 0.0 2316 508 ? S Feb14 0:00 crond
root 4072 0.0 0.0 7452 2324 ? S 21:49 0:00 CROND
root 5740 0.0 0.0 7452 2324 ? S 21:51 0:00 CROND
root 5757 0.0 0.0 4956 592 pts/0 S 21:51 0:00 grep -i cron
[root@market root]# lsof -p 1140
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
crond 1140 root cwd DIR 8,1 4096 1087010 /var/spool
crond 1140 root rtd DIR 8,1 4096 2 /
crond 1140 root txt REG 8,1 25696 811440 /usr/sbin/crond
crond 1140 root mem REG 8,1 107724 779074 /lib/ld-2.3.2.so
crond 1140 root mem REG 8,1 1578228 990692 /lib/tls/libc-2.3.2.so
crond 1140 root 0u CHR 5,1 65091 /dev/console
crond 1140 root 1w FIFO 0,5 1535 pipe
crond 1140 root 2w FIFO 0,5 1536 pipe
crond 1140 root 3u REG 8,1 5 1071064 /var/run/crond.pid
crond 1140 root 4u unix 0xf7216400 1539 socket
[root@market root]# lsof -p 4072
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
crond 4072 root cwd DIR 8,1 4096 1087010 /var/spool
crond 4072 root rtd DIR 8,1 4096 2 /
crond 4072 root txt REG 8,1 25696 811440 /usr/sbin/crond
crond 4072 root mem REG 8,1 15076 357010 /usr/lib/sasl2/libcrammd5.so.2.0.15
crond 4072 root mem REG 8,1 12784 357137 /usr/lib/sasl2/liblogin.so.2.0.15
crond 4072 root mem REG 8,1 1980660 778926 /lib/libnss_ldap-2.3.2.so
crond 4072 root mem REG 8,1 12336 357002 /usr/lib/sasl2/libanonymous.so.2.0.15
crond 4072 root mem REG 8,1 43480 357014 /usr/lib/sasl2/libdigestmd5.so.2.0.15
crond 4072 root mem REG 8,1 107724 779074 /lib/ld-2.3.2.so
crond 4072 root mem REG 8,1 1578228 990692 /lib/tls/libc-2.3.2.so
crond 4072 root mem REG 8,1 16312 779075 /lib/libdl-2.3.2.so
crond 4072 root mem REG 8,1 65928 211200 /usr/lib/libz.so.1.2.0.7
crond 4072 root mem REG 8,1 78048 779078 /lib/libresolv-2.3.2.so
crond 4072 root mem REG 8,1 24848 778908 /lib/libcrypt-2.3.2.so
crond 4072 root mem REG 8,1 7464 778888 /lib/libcom_err.so.2.1
crond 4072 root mem REG 8,1 101264 990693 /lib/tls/libpthread-0.60.so
crond 4072 root mem REG 8,1 431424 211204 /usr/lib/libkrb5.so.3.2
crond 4072 root mem REG 8,1 977252 779082 /lib/libcrypto.so.0.9.7a
crond 4072 root mem REG 8,1 139960 211180 /usr/lib/libk5crypto.so.3.0
crond 4072 root mem REG 8,1 83732 211206 /usr/lib/libgssapi_krb5.so.2.2
crond 4072 root mem REG 8,1 793264 990694 /lib/tls/libdb-4.1.so
crond 4072 root mem REG 8,1 12852 357141 /usr/lib/sasl2/libplain.so.2.0.15
crond 4072 root mem REG 8,1 15676 357006 /usr/lib/sasl2/libsasldb.so.2.0.15
crond 4072 root mem REG 8,1 51152 778852 /lib/libnss_files-2.3.2.so
crond 4072 root mem REG 8,1 18316 778849 /lib/libnss_dns-2.3.2.so
crond 4072 root 0u CHR 5,1 65091 /dev/console
crond 4072 root 1w FIFO 0,5 1535 pipe
crond 4072 root 2w FIFO 0,5 1536 pipe
crond 4072 root 4u unix 0xf7216400 1539 socket
crond 4072 root 6r FIFO 0,5 11658204 pipe
 
Old 02-16-2006, 06:42 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,462
Blog Entries: 54

Rep: Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899Reputation: 2899
If you compare your output
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
crond 1140 root txt REG 8,1 25696 811440 /usr/sbin/crond
crond 4072 root txt REG 8,1 25696 811440 /usr/sbin/crond
you see that both processes share attributes like running user, binary size, inode and location.
Unless there's other things in play we now *know* it is the same process.
If there stil remains doubt, verify the binary checksum:
md5sum /proc/{1140,4072}/exe /usr/sbin/crond


normal process is lowercase, in process list,CROND is uppercase.
One thing you notice is that process "CROND" has much more files open. This could be a child process of crond handling a job.
To check that child-parent relationship we need to list the processes and see if the parent process has an PPID of "1" and all child processes all have the PPID set to the PID of the parent. Run lsof again, but add the switch "-R" to make it show the PPID and grep for "/usr/sbin/crond". *If you want to make lsof output faster add the "-n" switch to stop hostname resolution. "-n" also works on other apps like for instance netstat.

Last edited by unSpawn; 02-16-2006 at 06:43 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Yet another backdoor for IE.... r_jensen11 General 11 06-29-2004 11:31 AM
My Backdoor Debian Install ClayOgre Debian 9 06-20-2003 08:38 AM
/home/backdoor glyn_walters Linux - Security 6 05-15-2003 11:29 AM
backdoor im1crazyassmofo Linux - General 3 01-16-2003 06:54 PM
SSH 2 as a backdoor? help me fenris@bu Linux - Security 3 05-24-2001 12:12 PM


All times are GMT -5. The time now is 10:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration