How to find a CRON ?

sky

Verified User
Joined
Nov 12, 2004
Messages
338
Hello,

I post this here because its a debian OS.

I have had some problems with a hacker that got in the server with squirrelmail (i think).

So, i think i got all of is stuff cleaned up, but there is a cron that is loged by DA :
Feb 27 10:01:01 server /USR/SBIN/CRON[12753]: (apache) CMD (/var/www/html/squirrelmail-1.4.15/data/.sys/bin/cron.sh >/dev/null 2>&1)

That refers to a file that does not exist anymore.

The problem is : how do i find that cron ?

I have looked in /etc/crontab, /etc/cron.d/* and also tryed a contab -u apache -l but, its just say that apache cant have a cron.

Thanks for any ideas.
Sky
 

lordlex

Verified User
Joined
Aug 17, 2008
Messages
23
Location
Romania
Hello sky,

You should be able to find user's cron file in /var/spool/cron/crontabs.
Question: Do you have chkrootkit and rkhunter installed and set up?

Lex
 

scsi

Verified User
Joined
Aug 19, 2008
Messages
4,695
chkrootkit and rkhunter are useless they only find the most common rootkits.
 

tillo

Verified User
Joined
Oct 28, 2007
Messages
862
Location
Switzerland
I strongly suggest a fresh install, you will never be sure that your system is clean.
The attacker (which is a cracker and not an hacker, big difference) may have modified any of your pages or system files to include a custom trojan or backdoor. This is a very common practice, I assure you.

Anyway, the command may be in /etc/cron.hourly/*.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
chkrootkit and rkhunter are useless they only find the most common rootkits.
While user tillo is absolutely right in his assessment of the best steps to take, I find that both chkrootkit and rkhunter are great lines of defense.

Jeff
 

scsi

Verified User
Joined
Aug 19, 2008
Messages
4,695
While user tillo is absolutely right in his assessment of the best steps to take, I find that both chkrootkit and rkhunger are great lines of defense.

Jeff

And you've actually found something with them before?
 

tillo

Verified User
Joined
Oct 28, 2007
Messages
862
Location
Switzerland
I did, several times. They are not complete, but they help.

Anyway, it's important to know that a false sense of security is bad: chkrootkit and rkhunter daily routines must not be the only way to check and maintain the security of a server. There must be an IDS/NIDS, periodical upgrades, offsite backups etc.
 

sky

Verified User
Joined
Nov 12, 2004
Messages
338
Hello all.

Thanks for all your replys.

I think im going to format and reinstall a fresh system on that server.

Next time, ill know better !


Edit : By the way : yes, i have chkrootkit and rkhunter. No alerts.
I have had a alert on another server once with rkhunter, but not this time :)

The firewall seams a good protection, on next server ill put one up right after fresh DA install.

Sky
 
Last edited:
Top