backdoor as CRON

jim656 · 02-15-2006, 10:03 AM

in our server, we found suspicious process named as CROND,sometimes it spawns many CROND. I am wondering whether it is a known backdoor? and how to dispose this dirty CROND? Thanks in advance.

MensaWater · 02-15-2006, 10:38 AM

crond is the cron daemon. It is used for scheduling tasks you've defined in crontab or other cron files.

man crond

man cron

man crontab

will all give you more info.

unSpawn · 02-15-2006, 11:11 AM

@jlightner: crond is the cron daemon.
That's nice, but it is only a definition. He is having suspicions. Suspicions should not be countered by a definition but with a method that can help verify the running process. Care to add one?

MensaWater · 02-15-2006, 11:22 AM

It seemed clear to me from his post that he didn't know what the cron daemon was so suspected it was a virus for that reason alone. Therefore posting a definition seemed appropriate.

Also I did indicate there were man pages that would give him more information. Trying to troubleshoot a "virus" when all he can really say is he has a crond running would be rather difficult. Once he's reviewed them if he still has questions he can post.

If you look through past postings by me you'll see I do usually post more than definitions and even answer follow up questions when asked.

I note you yourself didn't answer his question.

unSpawn · 02-15-2006, 01:39 PM

I note you yourself didn't answer his question.
The problem is the assumption that when something looks, talks and walks like crond, it probably is crond. It is kinda easy to hide an app in plain sight by changing value for argv[0] (some processes change it legitimately, though only partially AFAIK). A process listing could give it away but only if you use the right switches and look hard. One way could be to check the output from lsof for something like unusual opened or deleted files, unusual binary locations etc, etc. then proceed to verify the binaries' checksum in /proc with a known good (mirrored) package or from a filesystem integrity database. This example is only meant to give an idea, it's not flawless because it:
- can't find anomalies if processes are hidden using advanced techniques,
- relies on RPM,
- checks against a local database
- and probably gets skewed results due to prelinking, so YMMV(VM):

Code:

/usr/sbin/lsof -n -t | xargs -iE ls -al /proc/E/exe 2>/dev/null|awk '{print $NF}'|grep -v proc | while read bin; do
package=($(rpm -qf $bin)); case "${#package[@]}" in 1) sum=($(rpm -q --dump $package | grep -m1 $bin)); 
chk=($(md5sum $bin)); if [ "${sum[3]}" != "${chk[0]}" ]; then echo "WARNING: ${bin}: SUM ERROR "${sum[3]}" \
"${chk[0]}""; fi;; *) echo "WARNING: ${package[@]}";; esac; done

In short: don't assume but try to make certain. That's all.

MensaWater · 02-15-2006, 02:15 PM

One has to make assumptions based on what is posted. As I indicated the main thing I got out of the original post was that the user did not know the purpose of crond and wanted to know if it was a known virus which it is not. As you correctly state it is possible to make a known process into a virus but the user IMHO had not provided any reasoning to suggest it was a virus.

The great thing about the forums is that multiple people can give their input. You've now given yours and hopefully the user has enough to work with and if not at least will be able to provide enough additional information for further suggestions.

jim656 · 02-15-2006, 08:57 PM

uuSpawn: your explanation make sense. normal process is lowercase, in process list,CROND is uppercase. I post screen display as below:

[root@market root]# ps aux | grep -i cron
root 1140 0.0 0.0 2316 508 ? S Feb14 0:00 crond
root 4072 0.0 0.0 7452 2324 ? S 21:49 0:00 CROND
root 5740 0.0 0.0 7452 2324 ? S 21:51 0:00 CROND
root 5757 0.0 0.0 4956 592 pts/0 S 21:51 0:00 grep -i cron
[root@market root]# lsof -p 1140
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
crond 1140 root cwd DIR 8,1 4096 1087010 /var/spool
crond 1140 root rtd DIR 8,1 4096 2 /
crond 1140 root txt REG 8,1 25696 811440 /usr/sbin/crond
crond 1140 root mem REG 8,1 107724 779074 /lib/ld-2.3.2.so
crond 1140 root mem REG 8,1 1578228 990692 /lib/tls/libc-2.3.2.so
crond 1140 root 0u CHR 5,1 65091 /dev/console
crond 1140 root 1w FIFO 0,5 1535 pipe
crond 1140 root 2w FIFO 0,5 1536 pipe
crond 1140 root 3u REG 8,1 5 1071064 /var/run/crond.pid
crond 1140 root 4u unix 0xf7216400 1539 socket
[root@market root]# lsof -p 4072
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
crond 4072 root cwd DIR 8,1 4096 1087010 /var/spool
crond 4072 root rtd DIR 8,1 4096 2 /
crond 4072 root txt REG 8,1 25696 811440 /usr/sbin/crond
crond 4072 root mem REG 8,1 15076 357010 /usr/lib/sasl2/libcrammd5.so.2.0.15
crond 4072 root mem REG 8,1 12784 357137 /usr/lib/sasl2/liblogin.so.2.0.15
crond 4072 root mem REG 8,1 1980660 778926 /lib/libnss_ldap-2.3.2.so
crond 4072 root mem REG 8,1 12336 357002 /usr/lib/sasl2/libanonymous.so.2.0.15
crond 4072 root mem REG 8,1 43480 357014 /usr/lib/sasl2/libdigestmd5.so.2.0.15
crond 4072 root mem REG 8,1 107724 779074 /lib/ld-2.3.2.so
crond 4072 root mem REG 8,1 1578228 990692 /lib/tls/libc-2.3.2.so
crond 4072 root mem REG 8,1 16312 779075 /lib/libdl-2.3.2.so
crond 4072 root mem REG 8,1 65928 211200 /usr/lib/libz.so.1.2.0.7
crond 4072 root mem REG 8,1 78048 779078 /lib/libresolv-2.3.2.so
crond 4072 root mem REG 8,1 24848 778908 /lib/libcrypt-2.3.2.so
crond 4072 root mem REG 8,1 7464 778888 /lib/libcom_err.so.2.1
crond 4072 root mem REG 8,1 101264 990693 /lib/tls/libpthread-0.60.so
crond 4072 root mem REG 8,1 431424 211204 /usr/lib/libkrb5.so.3.2
crond 4072 root mem REG 8,1 977252 779082 /lib/libcrypto.so.0.9.7a
crond 4072 root mem REG 8,1 139960 211180 /usr/lib/libk5crypto.so.3.0
crond 4072 root mem REG 8,1 83732 211206 /usr/lib/libgssapi_krb5.so.2.2
crond 4072 root mem REG 8,1 793264 990694 /lib/tls/libdb-4.1.so
crond 4072 root mem REG 8,1 12852 357141 /usr/lib/sasl2/libplain.so.2.0.15
crond 4072 root mem REG 8,1 15676 357006 /usr/lib/sasl2/libsasldb.so.2.0.15
crond 4072 root mem REG 8,1 51152 778852 /lib/libnss_files-2.3.2.so
crond 4072 root mem REG 8,1 18316 778849 /lib/libnss_dns-2.3.2.so
crond 4072 root 0u CHR 5,1 65091 /dev/console
crond 4072 root 1w FIFO 0,5 1535 pipe
crond 4072 root 2w FIFO 0,5 1536 pipe
crond 4072 root 4u unix 0xf7216400 1539 socket
crond 4072 root 6r FIFO 0,5 11658204 pipe

unSpawn · 02-16-2006, 06:42 AM

If you compare your output
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
crond 1140 root txt REG 8,1 25696 811440 /usr/sbin/crond
crond 4072 root txt REG 8,1 25696 811440 /usr/sbin/crond
you see that both processes share attributes like running user, binary size, inode and location.
Unless there's other things in play we now *know* it is the same process.
If there stil remains doubt, verify the binary checksum:
md5sum /proc/{1140,4072}/exe /usr/sbin/crond

normal process is lowercase, in process list,CROND is uppercase.
One thing you notice is that process "CROND" has much more files open. This could be a child process of crond handling a job.
To check that child-parent relationship we need to list the processes and see if the parent process has an PPID of "1" and all child processes all have the PPID set to the PID of the parent. Run lsof again, but add the switch "-R" to make it show the PPID and grep for "/usr/sbin/crond". *If you want to make lsof output faster add the "-n" switch to stop hostname resolution. "-n" also works on other apps like for instance netstat.