Cron Hack

[wemnael]

in the past I suffered from a hacker attack and since than I rteceive many emails from CXS tellming me that strange files are created in /tmp directory. I have this problem with 2 of my cPanel accounts. What is happening is that all cron jobs from those accounts are being deleted at a specific time and only one cron job is present :
/var/tmp/jUKBUNAUtK >/dev/null 2>&1

I tried to delete this cron job and add my cron jobs but after same hours a new file with random characters is created in /tmp directory and cron jobs are replaced only with one to run that /tmp/blablalba file every x minutes.

When this file is created, CXS automatically removes it:
Time: Sun Jun 9 12:21:36 2013 +0300
File: /tmp/jUKBUNAUtK
Reason: Linux Binary
Owner: ascorsuc:ascorsuc (1185:1177)
Action: Moved into /etc/csf/suspicious.tar

Also I scanned all accounts but cant figure where is that hack installed.

The problem is that this is happening at a regular basic I dont know what script is causing those modifications. It's clear that a script replace cron files for those 2 accounts. Those accounts have Joomla 1.5, and this might be where the hacker searched for vulnerability. Now I'm wondering what script overwrite my cron files and generate those strange named files in tmp directory. Do u have any idea?

 

[cPanelMichael]

Hello

Have you ran a root kit scanner on your system to see if any root exploits are detected? Have you considered disabling/removing Joomla from those accounts until you are able to upgrade it to a newer version?

You may also want to consider consulting with a system administrator/security specialist. There are several listings at:

cPanel Application Catalog - System Admin Services

Thank you.

 

[quizknows]

If it's just two cPanel accounts, you're not rooted (or at least it's extremely unlikely).

You can check times in /var/log/cron for edits, but they may not be there. Odds are being joomla 1.5 there's a PHP shell or other hidden code in the site allowing the edits. First step, change the joomla administrative passwords. Then run clamscan and maldet (linux malware detect) on the public_html directories of the affected sites. Also, given it's cron edits, make sure there arent suspect logins for the usernames in /var/log/secure or the cPanel access logs, /usr/local/cpanel/logs/access_log. Regardless, a new cPanel PW is in order as well.

Hopefully maldet and/or clamscan turns up the bad PHP shells. Common directory for this on joomla 1.5 is $DOCROOT/images/stories/, make sure there aren't any PHP files in there; if there are, they're malicious.

 

[wemnael]

This is the strangest part : I scanned with both clamav and maldet and there are no threads, everytinhg it's clean. I'm pretty sure there is a hack with Joomla but dont know... I tried to add user fellow to cron deny , but no results: my cron file is being replaced and strage files with strage file names are created daily in tmp directory. After that cron jobs from those 2 cPanel accounts are being replaced torun that tmp files..
var/log/cron:
Jun 9 12:30:01 server crond[238137]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)
Jun 9 12:45:01 server crond[249964]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)
Jun 9 13:00:01 server crond[264285]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)
Jun 9 13:15:01 server crond[278827]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)
Jun 9 13:30:01 server crond[290975]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)
Jun 9 13:45:01 server crond[301679]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)
Jun 9 14:00:01 server crond[315924]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)
Jun 9 14:15:01 server crond[328326]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)
Jun 9 14:30:01 server crond[340209]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)
Jun 9 14:45:01 server crond[350317]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)
Jun 9 15:00:01 server crond[358664]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)
Jun 9 15:15:01 server crond[368865]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)

I changed passwords and I checked logs and there is no suspicious activity....

 

[quizknows]

So is it /var/spool/cron/fellow that's being updated?

If the file(s) in /var/spool/cron are edited, run a 'stat' on them from shell,

stat /var/spool/cron/fellow

Note the 'modify' and 'change' time stamps. Then, go into the users apache domlogs directory (/home/fellow/access-logs/) and look for that time in the logs. If it's being done via a web app, it should be logged there. You'll have to catch it before that log rotates, or, go in to WHM under Tweak Settings > > stats and logs > > and disable "delete raw access logs after stats run" (not the exact option name but you'll see it).

Say for example your change time shows this:

Change: 2013-06-09 19:31:19.000000000 -0400

You could run:

grep '09/Jun/2013:19:31' /home/fellow/access-logs/*

 

[wemnael]

I'v done this and no activity at that hour... Northing suspicious in the logs...