The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cron Hack

Discussion in 'Security' started by wemnael, Jun 9, 2013.

  1. wemnael

    wemnael Member

    Joined:
    Oct 23, 2010
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    in the past I suffered from a hacker attack and since than I rteceive many emails from CXS tellming me that strange files are created in /tmp directory. I have this problem with 2 of my cPanel accounts. What is happening is that all cron jobs from those accounts are being deleted at a specific time and only one cron job is present :
    /var/tmp/jUKBUNAUtK >/dev/null 2>&1

    I tried to delete this cron job and add my cron jobs but after same hours a new file with random characters is created in /tmp directory and cron jobs are replaced only with one to run that /tmp/blablalba file every x minutes.

    When this file is created, CXS automatically removes it:
    Time: Sun Jun 9 12:21:36 2013 +0300
    File: /tmp/jUKBUNAUtK
    Reason: Linux Binary
    Owner: ascorsuc:ascorsuc (1185:1177)
    Action: Moved into /etc/csf/suspicious.tar

    Also I scanned all accounts but cant figure where is that hack installed.

    The problem is that this is happening at a regular basic I dont know what script is causing those modifications. It's clear that a script replace cron files for those 2 accounts. Those accounts have Joomla 1.5, and this might be where the hacker searched for vulnerability. Now I'm wondering what script overwrite my cron files and generate those strange named files in tmp directory. Do u have any idea?
     
    #1 wemnael, Jun 9, 2013
    Last edited: Jun 9, 2013
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Have you ran a root kit scanner on your system to see if any root exploits are detected? Have you considered disabling/removing Joomla from those accounts until you are able to upgrade it to a newer version?

    You may also want to consider consulting with a system administrator/security specialist. There are several listings at:

    cPanel Application Catalog - System Admin Services

    Thank you.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    If it's just two cPanel accounts, you're not rooted (or at least it's extremely unlikely).

    You can check times in /var/log/cron for edits, but they may not be there. Odds are being joomla 1.5 there's a PHP shell or other hidden code in the site allowing the edits. First step, change the joomla administrative passwords. Then run clamscan and maldet (linux malware detect) on the public_html directories of the affected sites. Also, given it's cron edits, make sure there arent suspect logins for the usernames in /var/log/secure or the cPanel access logs, /usr/local/cpanel/logs/access_log. Regardless, a new cPanel PW is in order as well.

    Hopefully maldet and/or clamscan turns up the bad PHP shells. Common directory for this on joomla 1.5 is $DOCROOT/images/stories/, make sure there aren't any PHP files in there; if there are, they're malicious.
     
  4. wemnael

    wemnael Member

    Joined:
    Oct 23, 2010
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    This is the strangest part : I scanned with both clamav and maldet and there are no threads, everytinhg it's clean. I'm pretty sure there is a hack with Joomla but dont know... I tried to add user fellow to cron deny , but no results: my cron file is being replaced and strage files with strage file names are created daily in tmp directory. After that cron jobs from those 2 cPanel accounts are being replaced torun that tmp files..
    var/log/cron:
    Jun 9 12:30:01 server crond[238137]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)
    Jun 9 12:45:01 server crond[249964]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)
    Jun 9 13:00:01 server crond[264285]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)
    Jun 9 13:15:01 server crond[278827]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)
    Jun 9 13:30:01 server crond[290975]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)
    Jun 9 13:45:01 server crond[301679]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)
    Jun 9 14:00:01 server crond[315924]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)
    Jun 9 14:15:01 server crond[328326]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)
    Jun 9 14:30:01 server crond[340209]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)
    Jun 9 14:45:01 server crond[350317]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)
    Jun 9 15:00:01 server crond[358664]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)
    Jun 9 15:15:01 server crond[368865]: (fellow) CMD (/var/tmp/tnQkrnzor >/dev/null 2>&1)

    I changed passwords and I checked logs and there is no suspicious activity....
     
    #4 wemnael, Jun 11, 2013
    Last edited: Jun 11, 2013
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    So is it /var/spool/cron/fellow that's being updated?

    If the file(s) in /var/spool/cron are edited, run a 'stat' on them from shell,

    stat /var/spool/cron/fellow

    Note the 'modify' and 'change' time stamps. Then, go into the users apache domlogs directory (/home/fellow/access-logs/) and look for that time in the logs. If it's being done via a web app, it should be logged there. You'll have to catch it before that log rotates, or, go in to WHM under Tweak Settings > > stats and logs > > and disable "delete raw access logs after stats run" (not the exact option name but you'll see it).

    Say for example your change time shows this:

    Change: 2013-06-09 19:31:19.000000000 -0400

    You could run:

    grep '09/Jun/2013:19:31' /home/fellow/access-logs/*
     
  6. wemnael

    wemnael Member

    Joined:
    Oct 23, 2010
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    I'v done this and no activity at that hour... Northing suspicious in the logs...
     
Loading...

Share This Page