wired cron messages
 

Hello All,

I am using RHEL 4.0 on i386 machine (kernel is, 2.6.9-5). For the couple of days, I have been receiving some strange cron jobs from the root@mydomain.com. Here is the copy of such message.

Message 63170:
From root@xxxxxxxx.com Tue Sep 11 12:45:01 2007
Date: Tue, 11 Sep 2007 12:45:01 -0500
From: root@xxxxxxxxxx.com (Cron Daemon)
To: root@xxxxxxxxxx.com
Subject: Cron <root@xxxxxxxxx> chown root:root /home/shankar/prctlpute && chmod 4755 /home/shankar/prctlpute && rm -rf /etc/cron.d/core && kill -USR1 28877
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>

chown: cannot access `/home/shankar/prctlpute': No such file or directory

I have checked in the cron by executing this,

crontab -l

I dont find any jobs realated to this, I did even delete the user "shankar", but I still receive this message in every minute. Please let me know how to get rid of such cron messages to me (root).

Thanks

My guess (the name being too unique) it is an attempt to use this. If that's the case then you'll want to perform a full audit of the box using this as guideline: Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html. At least check any daemon and all system logs, your login records and verify the system binaries, any stuff dropped in temp dirs. If you report back any findings please provide as much details as you can.

Are these legitimate?
 

Hello,

Thank you for the help.

With help of the above document, I did lot of research on the system. I found many files that seems to be suspicious. There is a file called "a.txt" which has some perl script in it. I have deleted it by mistake.
[root@cron.d]# pwd
/etc/cron.d

#ls -al
total 148
drwxr-xr-x 2 root root 4096 Oct 4 08:30 .
drwxr-xr-x 75 root root 12288 Oct 4 04:37 ..
-rw------- 1 root 502 270336 Jul 26 19:36 core.24771
-rw------- 1 root 502 1933312 Jul 26 20:43 core.28878

I have not created these two files and when I do this,

#file core.24771
core.24771: ELF 32-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style, from 'a.txt'

#file core.28878
core.28878: ELF 32-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style, from 'prctlpute'

Now, I got some idea where these files are. someone trying to execute these files though cron tab. So I am keep on receiving cron messages to me. I have now deleted these files.

Now, there is a file sits in /tmp directory. The file name is sh(it has suid).

# ls -l /tmp/sh
-rwsr-xr-x 1 root root 616184 Oct 4 09:08 /tmp/sh

so, file /tmp/sh gives this,

/tmp/sh: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped

how do i check which service using this file or who is actually running this? when i delete this, it still comes up automatically.

lastly I found some irc services are running on my box, someone installed some proxy or psybnc (may be like this)

psybnc 9972 httpd 3u IPv4 1549354 TCP *:6969 (LISTEN)

I seen many connections made to 6969 port. How to get rid of this.

Thanks for all your help..

It took you almost a month to reply which means I clearly was not able to convey to you the seriousness of the situation. That's bad. You run a kernel that was marked vulnerable last year July (CVE-2006-2451) and you allowed users to abuse that situation. You will not get rid of this the easy way nor should you try to "fix" things.

Make this compromised machine inaccessable from the 'net by raising the firewall to only allow traffic from and to your management IP (range) and shutting down crond, killing rogue processes and any other regular services you do not need to access the box (you only need SSH). You should build a new box, use new passphrases and non-vulnerable kernel and application versions. Make the machine auditable and harden it properly before migrating content and activating services. DO NOT prune 'n graft applications onto the new box as-is but dump the application contents you need and inspect before migrating. Revisit the configuration, updating, auditing and hardening part before allowing 'net access and decommission the old box. Before you commence please read at least: Steps for Recovering from a UNIX or NT System Compromise (CERT): http://www.cert.org/tech_tips/root_compromise.html

(also see: LQ FAQ: Security references: http://www.linuxquestions.org/questi...threadid=45261)

Any related questions: just ask, but please speed things up a wee bit.