Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Cron <root@static> chown root:root && chmod 4755 && rm -rf /etc/cron.d/core && kil

Discussion in 'General Discussion' started by Lestat, Aug 14, 2006.

  1. Lestat

    Lestat Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    166
    Cron <root@static> chown root:root && chmod 4755 && rm -rf /etc/cron.d/core && kill -USR1 25xxx

    I keep receiving emails about 10 every 2 minutes. The subjuect is

    Cron <root@static> chown root:root && chmod 4755 && rm -rf /etc/cron.d/core && kill -USR1 25xxx


    Email:
    chown: too few arguments
    Try `chown --help' for more information.

    How do I go about fixing this? Is this an exploit?
     
  2. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Smells like the cron.d core exploit, what kernel are you running? I would lock down the box and check it out...
     
  3. Lestat

    Lestat Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    166
    How do I find out the kernel I am running?
     
  4. Lestat

    Lestat Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    166
    2.6.10-1.771_FC2smp #1 SMP Mon Mar 28 01:10:51 EST 2005 i686 i686 i386 GNU/Linux
     
  5. darkkouta

    darkkouta Well-Known Member

    Joined:
    May 12, 2006
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    156
    in ssh it types uname -a
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Lestat

    Lestat Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    166
    Now that I had found out the version is there a fix and if so how do I get it and apply it?
     
  7. Lestat

    Lestat Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    166
    Anyone have a fix for this?
     
  8. Lestat

    Lestat Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    166
    anyone? I am running Fedora Core 2... anyone please help resolve this issue...
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    You need to find out how the hackers are getting into the server to resolve the issue. You'll also need to clean up that cron job by checking through /etc/cron.* and in /var/spool/cron/*
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    166
    It looks very much like an exploit - an example of it is given at http://www.milw0rm.com/exploits/2005.

    Your only option is to get a professional to take a look at things for you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Lestat

    Lestat Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    166
    So who can I get to take a look at it for me? Please send some recommendations for some services... thanks for your help...
     
  12. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    166
    I'd give Chirpy a go..
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. matthewdavis

    matthewdavis Well-Known Member

    Joined:
    Jun 26, 2003
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    NC, USA
    Btw, you are in fact being hit by that exploit mentioned. The CVE for this exploit is: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2451

    You can check there for the fixes for each of the distros (Red Hat, Ubuntu, suse, etc).

    I was hit by this bug on 2 of my rhel4 boxes because I didn't stay on top of kernel upgrades. Red Hat had already released the fixed kernel when I was hit. I would suggest to do a re-install as soon as possible. There's no clue what was ccompromised. A linux tech could go in and do bandaid fixes, but this exploit can provide a root shell, with which the user could have done anything to your system.

    With the 2 compromised servers, one hacker replaced all index files with his own. Luckily, on the ohter server he didn't do any damage. So you never know.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice