Cron <root@static> chown root:root && chmod 4755 && rm -rf /etc/cron.d/core && kil

**Lestat** · 08-14-2006 07:57 AM

Cron <root@static> chown root:root && chmod 4755 && rm -rf /etc/cron.d/core && kill -USR1 25xxx

I keep receiving emails about 10 every 2 minutes. The subjuect is

Cron <root@static> chown root:root && chmod 4755 && rm -rf /etc/cron.d/core && kill -USR1 25xxx

Email:
chown: too few arguments
Try `chown --help' for more information.

How do I go about fixing this? Is this an exploit?

**serversphere** · 08-14-2006 09:12 AM

Smells like the cron.d core exploit, what kernel are you running? I would lock down the box and check it out...

**Lestat** · 08-14-2006 12:51 PM

How do I find out the kernel I am running?

**Lestat** · 08-14-2006 01:02 PM

2.6.10-1.771_FC2smp #1 SMP Mon Mar 28 01:10:51 EST 2005 i686 i686 i386 GNU/Linux

**darkkouta** · 08-14-2006 01:02 PM

in ssh it types uname -a

**Lestat** · 08-14-2006 01:03 PM

Now that I had found out the version is there a fix and if so how do I get it and apply it?

**Lestat** · 08-14-2006 08:18 PM

Anyone have a fix for this?

**Lestat** · 08-15-2006 07:17 AM

anyone? I am running Fedora Core 2... anyone please help resolve this issue...

**chirpy** · 08-15-2006 09:48 AM

You need to find out how the hackers are getting into the server to resolve the issue. You'll also need to clean up that cron job by checking through /etc/cron.* and in /var/spool/cron/*

**webignition** · 08-15-2006 09:49 AM

It looks very much like an exploit - an example of it is given at http://www.milw0rm.com/exploits/2005.

Your only option is to get a professional to take a look at things for you.

**Lestat** · 08-15-2006 01:50 PM

So who can I get to take a look at it for me? Please send some recommendations for some services... thanks for your help...

**webignition** · 08-15-2006 02:02 PM

I'd give Chirpy a go..

**matthewdavis** · 08-16-2006 10:56 PM

Btw, you are in fact being hit by that exploit mentioned. The CVE for this exploit is: http://cve.mitre.org/cgi-bin/cvename...=CVE-2006-2451

You can check there for the fixes for each of the distros (Red Hat, Ubuntu, suse, etc).

I was hit by this bug on 2 of my rhel4 boxes because I didn't stay on top of kernel upgrades. Red Hat had already released the fixed kernel when I was hit. I would suggest to do a re-install as soon as possible. There's no clue what was ccompromised. A linux tech could go in and do bandaid fixes, but this exploit can provide a root shell, with which the user could have done anything to your system.

With the 2 compromised servers, one hacker replaced all index files with his own. Luckily, on the ohter server he didn't do any damage. So you never know.

LinkBack

Thread Tools

Cron <root@static> chown root:root && chmod 4755 && rm -rf /etc/cron.d/core && kil

Cron <root@srv> /usr/bin/test -x /scripts/update_db_cache && /scripts/update_db_cache

Exim & PHP & Domains & Ip's & /etc/mailips

Exim & PHP & Domains & Ip's & /etc/mailips

Cron <root@host> chown root:root /dev/shm/prctl && chmod 4755 /dev/shm/prctl && rm -

Cron <root@server> perl $aaaaaaah/auto_rvski &&& Cron <root@server> /scripts/cpbackup