wired cron messages
Hello All,
I am using RHEL 4.0 on i386 machine (kernel is, 2.6.9-5). For the couple of days, I have been receiving some strange cron jobs from the root@mydomain.com. Here is the copy of such message. Message 63170: From root@xxxxxxxx.com Tue Sep 11 12:45:01 2007 Date: Tue, 11 Sep 2007 12:45:01 -0500 From: root@xxxxxxxxxx.com (Cron Daemon) To: root@xxxxxxxxxx.com Subject: Cron <root@xxxxxxxxx> chown root:root /home/shankar/prctlpute && chmod 4755 /home/shankar/prctlpute && rm -rf /etc/cron.d/core && kill -USR1 28877 X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin> X-Cron-Env: <HOME=/root> X-Cron-Env: <LOGNAME=root> X-Cron-Env: <USER=root> chown: cannot access `/home/shankar/prctlpute': No such file or directory I have checked in the cron by executing this, crontab -l I dont find any jobs realated to this, I did even delete the user "shankar", but I still receive this message in every minute. Please let me know how to get rid of such cron messages to me (root). Thanks |
My guess (the name being too unique) it is an attempt to use this. If that's the case then you'll want to perform a full audit of the box using this as guideline: Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html. At least check any daemon and all system logs, your login records and verify the system binaries, any stuff dropped in temp dirs. If you report back any findings please provide as much details as you can.
|
Are these legitimate?
Hello,
Thank you for the help. With help of the above document, I did lot of research on the system. I found many files that seems to be suspicious. There is a file called "a.txt" which has some perl script in it. I have deleted it by mistake. [root@cron.d]# pwd /etc/cron.d #ls -al total 148 drwxr-xr-x 2 root root 4096 Oct 4 08:30 . drwxr-xr-x 75 root root 12288 Oct 4 04:37 .. -rw------- 1 root 502 270336 Jul 26 19:36 core.24771 -rw------- 1 root 502 1933312 Jul 26 20:43 core.28878 I have not created these two files and when I do this, #file core.24771 core.24771: ELF 32-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style, from 'a.txt' #file core.28878 core.28878: ELF 32-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style, from 'prctlpute' Now, I got some idea where these files are. someone trying to execute these files though cron tab. So I am keep on receiving cron messages to me. I have now deleted these files. Now, there is a file sits in /tmp directory. The file name is sh(it has suid). # ls -l /tmp/sh -rwsr-xr-x 1 root root 616184 Oct 4 09:08 /tmp/sh so, file /tmp/sh gives this, /tmp/sh: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped how do i check which service using this file or who is actually running this? when i delete this, it still comes up automatically. lastly I found some irc services are running on my box, someone installed some proxy or psybnc (may be like this) psybnc 9972 httpd 3u IPv4 1549354 TCP *:6969 (LISTEN) I seen many connections made to 6969 port. How to get rid of this. Thanks for all your help.. |
Quote:
Make this compromised machine inaccessable from the 'net by raising the firewall to only allow traffic from and to your management IP (range) and shutting down crond, killing rogue processes and any other regular services you do not need to access the box (you only need SSH). You should build a new box, use new passphrases and non-vulnerable kernel and application versions. Make the machine auditable and harden it properly before migrating content and activating services. DO NOT prune 'n graft applications onto the new box as-is but dump the application contents you need and inspect before migrating. Revisit the configuration, updating, auditing and hardening part before allowing 'net access and decommission the old box. Before you commence please read at least: Steps for Recovering from a UNIX or NT System Compromise (CERT): http://www.cert.org/tech_tips/root_compromise.html (also see: LQ FAQ: Security references: http://www.linuxquestions.org/questi...threadid=45261) Any related questions: just ask, but please speed things up a wee bit. |
All times are GMT -5. The time now is 05:40 PM. |