LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-11-2007, 02:54 PM   #1
shankarLe
Member
 
Registered: Apr 2006
Location: Hyderabad,India
Distribution: RedHat EL 4
Posts: 31

Rep: Reputation: Disabled
wired cron messages


Hello All,

I am using RHEL 4.0 on i386 machine (kernel is, 2.6.9-5). For the couple of days, I have been receiving some strange cron jobs from the root@mydomain.com. Here is the copy of such message.

Message 63170:
From root@xxxxxxxx.com Tue Sep 11 12:45:01 2007
Date: Tue, 11 Sep 2007 12:45:01 -0500
From: root@xxxxxxxxxx.com (Cron Daemon)
To: root@xxxxxxxxxx.com
Subject: Cron <root@xxxxxxxxx> chown root:root /home/shankar/prctlpute && chmod 4755 /home/shankar/prctlpute && rm -rf /etc/cron.d/core && kill -USR1 28877
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>

chown: cannot access `/home/shankar/prctlpute': No such file or directory

I have checked in the cron by executing this,

crontab -l

I dont find any jobs realated to this, I did even delete the user "shankar", but I still receive this message in every minute. Please let me know how to get rid of such cron messages to me (root).

Thanks
 
Old 09-11-2007, 03:32 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,374
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
My guess (the name being too unique) it is an attempt to use this. If that's the case then you'll want to perform a full audit of the box using this as guideline: Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html. At least check any daemon and all system logs, your login records and verify the system binaries, any stuff dropped in temp dirs. If you report back any findings please provide as much details as you can.
 
Old 10-04-2007, 09:17 AM   #3
shankarLe
Member
 
Registered: Apr 2006
Location: Hyderabad,India
Distribution: RedHat EL 4
Posts: 31

Original Poster
Rep: Reputation: Disabled
Are these legitimate?

Hello,

Thank you for the help.

With help of the above document, I did lot of research on the system. I found many files that seems to be suspicious. There is a file called "a.txt" which has some perl script in it. I have deleted it by mistake.
[root@cron.d]# pwd
/etc/cron.d

#ls -al
total 148
drwxr-xr-x 2 root root 4096 Oct 4 08:30 .
drwxr-xr-x 75 root root 12288 Oct 4 04:37 ..
-rw------- 1 root 502 270336 Jul 26 19:36 core.24771
-rw------- 1 root 502 1933312 Jul 26 20:43 core.28878

I have not created these two files and when I do this,

#file core.24771
core.24771: ELF 32-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style, from 'a.txt'

#file core.28878
core.28878: ELF 32-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style, from 'prctlpute'

Now, I got some idea where these files are. someone trying to execute these files though cron tab. So I am keep on receiving cron messages to me. I have now deleted these files.

Now, there is a file sits in /tmp directory. The file name is sh(it has suid).

# ls -l /tmp/sh
-rwsr-xr-x 1 root root 616184 Oct 4 09:08 /tmp/sh

so, file /tmp/sh gives this,

/tmp/sh: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped

how do i check which service using this file or who is actually running this? when i delete this, it still comes up automatically.

lastly I found some irc services are running on my box, someone installed some proxy or psybnc (may be like this)

psybnc 9972 httpd 3u IPv4 1549354 TCP *:6969 (LISTEN)

I seen many connections made to 6969 port. How to get rid of this.

Thanks for all your help..
 
Old 10-08-2007, 03:15 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,374
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
Quote:
Originally Posted by shankarLe View Post
How to get rid of this.
It took you almost a month to reply which means I clearly was not able to convey to you the seriousness of the situation. That's bad. You run a kernel that was marked vulnerable last year July (CVE-2006-2451) and you allowed users to abuse that situation. You will not get rid of this the easy way nor should you try to "fix" things.

Make this compromised machine inaccessable from the 'net by raising the firewall to only allow traffic from and to your management IP (range) and shutting down crond, killing rogue processes and any other regular services you do not need to access the box (you only need SSH). You should build a new box, use new passphrases and non-vulnerable kernel and application versions. Make the machine auditable and harden it properly before migrating content and activating services. DO NOT prune 'n graft applications onto the new box as-is but dump the application contents you need and inspect before migrating. Revisit the configuration, updating, auditing and hardening part before allowing 'net access and decommission the old box. Before you commence please read at least: Steps for Recovering from a UNIX or NT System Compromise (CERT): http://www.cert.org/tech_tips/root_compromise.html

(also see: LQ FAQ: Security references: http://www.linuxquestions.org/questi...threadid=45261)

Any related questions: just ask, but please speed things up a wee bit.
 
  


Reply

Tags
cronjobs


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cron messages gabsik Linux - Software 4 07-12-2006 05:03 AM
Odd Cron log messages medmedia Linux - Software 2 12-05-2005 03:22 AM
How to change the mail address of cron messages guarriman Linux - General 2 06-10-2005 04:42 AM
redirecting cron messages jomy General 1 12-29-2004 02:35 AM
cron daily error messages lhoff Linux - Software 3 03-30-2002 02:17 PM


All times are GMT -5. The time now is 01:52 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration