The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cron <root@static> chown root:root && chmod 4755 && rm -rf /etc/cron.d/core && kil

Discussion in 'General Discussion' started by Lestat, Aug 14, 2006.

  1. Lestat

    Lestat Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    16
    Cron <root@static> chown root:root && chmod 4755 && rm -rf /etc/cron.d/core && kill -USR1 25xxx

    I keep receiving emails about 10 every 2 minutes. The subjuect is

    Cron <root@static> chown root:root && chmod 4755 && rm -rf /etc/cron.d/core && kill -USR1 25xxx


    Email:
    chown: too few arguments
    Try `chown --help' for more information.

    How do I go about fixing this? Is this an exploit?
     
  2. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Smells like the cron.d core exploit, what kernel are you running? I would lock down the box and check it out...
     
  3. Lestat

    Lestat Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    16
    How do I find out the kernel I am running?
     
  4. Lestat

    Lestat Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    16
    2.6.10-1.771_FC2smp #1 SMP Mon Mar 28 01:10:51 EST 2005 i686 i686 i386 GNU/Linux
     
  5. darkkouta

    darkkouta Well-Known Member

    Joined:
    May 12, 2006
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    in ssh it types uname -a
     
  6. Lestat

    Lestat Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    16
    Now that I had found out the version is there a fix and if so how do I get it and apply it?
     
  7. Lestat

    Lestat Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    16
    Anyone have a fix for this?
     
  8. Lestat

    Lestat Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    16
    anyone? I am running Fedora Core 2... anyone please help resolve this issue...
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You need to find out how the hackers are getting into the server to resolve the issue. You'll also need to clean up that cron job by checking through /etc/cron.* and in /var/spool/cron/*
     
  10. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    It looks very much like an exploit - an example of it is given at http://www.milw0rm.com/exploits/2005.

    Your only option is to get a professional to take a look at things for you.
     
  11. Lestat

    Lestat Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    16
    So who can I get to take a look at it for me? Please send some recommendations for some services... thanks for your help...
     
  12. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    I'd give Chirpy a go..
     
  13. matthewdavis

    matthewdavis Well-Known Member

    Joined:
    Jun 26, 2003
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    NC, USA
    Btw, you are in fact being hit by that exploit mentioned. The CVE for this exploit is: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2451

    You can check there for the fixes for each of the distros (Red Hat, Ubuntu, suse, etc).

    I was hit by this bug on 2 of my rhel4 boxes because I didn't stay on top of kernel upgrades. Red Hat had already released the fixed kernel when I was hit. I would suggest to do a re-install as soon as possible. There's no clue what was ccompromised. A linux tech could go in and do bandaid fixes, but this exploit can provide a root shell, with which the user could have done anything to your system.

    With the 2 compromised servers, one hacker replaced all index files with his own. Luckily, on the ohter server he didn't do any damage. So you never know.
     
Loading...

Share This Page