How to find a CRON ?

sky

Verified User
Joined
Nov 12, 2004
Messages
338
Hello,

I post this here because its a debian OS.

I have had some problems with a hacker that got in the server with squirrelmail (i think).

So, i think i got all of is stuff cleaned up, but there is a cron that is loged by DA :
Feb 27 10:01:01 server /USR/SBIN/CRON[12753]: (apache) CMD (/var/www/html/squirrelmail-1.4.15/data/.sys/bin/cron.sh >/dev/null 2>&1)

That refers to a file that does not exist anymore.

The problem is : how do i find that cron ?

I have looked in /etc/crontab, /etc/cron.d/* and also tryed a contab -u apache -l but, its just say that apache cant have a cron.

Thanks for any ideas.
Sky
 
Hello sky,

You should be able to find user's cron file in /var/spool/cron/crontabs.
Question: Do you have chkrootkit and rkhunter installed and set up?

Lex
 
chkrootkit and rkhunter are useless they only find the most common rootkits.
 
I strongly suggest a fresh install, you will never be sure that your system is clean.
The attacker (which is a cracker and not an hacker, big difference) may have modified any of your pages or system files to include a custom trojan or backdoor. This is a very common practice, I assure you.

Anyway, the command may be in /etc/cron.hourly/*.
 
chkrootkit and rkhunter are useless they only find the most common rootkits.
While user tillo is absolutely right in his assessment of the best steps to take, I find that both chkrootkit and rkhunter are great lines of defense.

Jeff
 
While user tillo is absolutely right in his assessment of the best steps to take, I find that both chkrootkit and rkhunger are great lines of defense.

Jeff

And you've actually found something with them before?
 
I did, several times. They are not complete, but they help.

Anyway, it's important to know that a false sense of security is bad: chkrootkit and rkhunter daily routines must not be the only way to check and maintain the security of a server. There must be an IDS/NIDS, periodical upgrades, offsite backups etc.
 
Hello all.

Thanks for all your replys.

I think im going to format and reinstall a fresh system on that server.

Next time, ill know better !


Edit : By the way : yes, i have chkrootkit and rkhunter. No alerts.
I have had a alert on another server once with rkhunter, but not this time :)

The firewall seams a good protection, on next server ill put one up right after fresh DA install.

Sky
 
Last edited:
Back
Top