cronjob runs malicious script and tries to login: hack-> Non-base64 authentication's

[xema]

cronjob runs malicious script and tries to login: hack-> Non-base64 authentication's

Hi,

One of my clients website got hacked and they left some stuff, I removed the client and most of the hackers stuff but I can´t find the script that is run through a cronjob.

The cronjob starts at 19:40 which runs my WHMCS cron but at the same times runs the script. Also running the cron manually gives the same outcome. Should I look inside the WHMCS sql file? Or is it calling a script on the server at the same time? Seems unlikely as it only does the WHMCS cron...

2013:02:26-19:40:07: *** servers external ip has tried to login with an invalid username: '**hack-> Non-base64 authentication' ***
2013:02:26-19:40:07: servers external ip has tried to log in 16 times, unsuccessfully, this time into **hack-> Non-base64 authentication's account ***


2013:02:27-13:35:05: servers external ip has tried to log in 16 times, unsuccessfully, this time into **hack-> Non-base64 authentication's account ***
2013:02:27-13:35:05: *** servers external ip has tried to login with an invalid username: '**hack-> Non-base64 authentication' ***

 

[chatwizrd]

Did you remove the user completely?

To list the crons of the user you can use:

crontab -u username -l

You might also want to look at:

/var/spool/cron/crontabs

or

/var/spool/cron

 

[xema]

The user doesn't exist. no crons on any users except for a backup in directadmin. I think it's an sql injection but have no idea how to quickly find it without searching through 100's of tables..

 

[nobaloney]

This thread has been resolved. It was not a hack or hack attempt or an insecurity.

Jeff

 

[Richard G]

Could you share with us what it was then? Maybe somebody can benefit from that in the future.

 

[zEitEr]

That was server status thing of WHMCS trying to login with wrong credentials.

 

[Richard G]

Thank you.