Skip to main content
Unix & Linux

Return to Question

added 24 characters in body; edited tags
Source Link
Gilles 'SO- stop being evil'
Gilles 'SO- stop being evil'
  • 865.4k
  • 205
  • 1.8k
  • 2.3k

I was hacked this morning!

Does anyone have an idea of what the entry of the crontab below might mean?

1st They created a dir structure .rsync/ ├── a │ ├── a │ ├── anacron │ ├── cron │ ├── init0 │ ├── run │ └── stop 

.rsync/
├── a
│   ├── a
│   ├── anacron
│   ├── cron
│   ├── init0
│   ├── run
│   └── stop

2nd: The executed this cronjob from: crontab -l 0 */3 * * /home/ftpuser/.nullcache/a/upd>/dev/null 2>&1 @reboot /home/ftpuser/.nullcache/a/upd>/dev/null 2>&1 5 8 * * 0 /home/ftpuser/.nullcache/b/sync>/dev/null 2>&1 @reboot /home/ftpuser/.nullcache/b/sync>/dev/null 2>&1 0 0 */3 * * /tmp/.X17-unix/.rsync/c/aptitude>/dev/null 2>&1crontab -l

0 */3 * * /home/ftpuser/.nullcache/a/upd>/dev/null 2>&1
@reboot /home/ftpuser/.nullcache/a/upd>/dev/null 2>&1
5 8 * * 0 /home/ftpuser/.nullcache/b/sync>/dev/null 2>&1
@reboot /home/ftpuser/.nullcache/b/sync>/dev/null 2>&1
0 0 */3 * * /tmp/.X17-unix/.rsync/c/aptitude>/dev/null 2>&1

Last: ran all my CPU's at 100% and sucked all the bandwith from the network.

I killed all associated PID'S to ftpuser and everything went back to normal

I was hacked this morning!

Does anyone have an idea of what the entry of the crontab below might mean?

1st They created a dir structure .rsync/ ├── a │ ├── a │ ├── anacron │ ├── cron │ ├── init0 │ ├── run │ └── stop 2nd: The executed this cronjob from: crontab -l 0 */3 * * /home/ftpuser/.nullcache/a/upd>/dev/null 2>&1 @reboot /home/ftpuser/.nullcache/a/upd>/dev/null 2>&1 5 8 * * 0 /home/ftpuser/.nullcache/b/sync>/dev/null 2>&1 @reboot /home/ftpuser/.nullcache/b/sync>/dev/null 2>&1 0 0 */3 * * /tmp/.X17-unix/.rsync/c/aptitude>/dev/null 2>&1

Last: ran all my CPU's at 100% and sucked all the bandwith from the network.

I killed all associated PID'S to ftpuser and everything went back to normal

I was hacked this morning!

Does anyone have an idea of what the entry of the crontab below might mean?

1st They created a dir structure

.rsync/
├── a
│   ├── a
│   ├── anacron
│   ├── cron
│   ├── init0
│   ├── run
│   └── stop

2nd: The executed this cronjob from: crontab -l

0 */3 * * /home/ftpuser/.nullcache/a/upd>/dev/null 2>&1
@reboot /home/ftpuser/.nullcache/a/upd>/dev/null 2>&1
5 8 * * 0 /home/ftpuser/.nullcache/b/sync>/dev/null 2>&1
@reboot /home/ftpuser/.nullcache/b/sync>/dev/null 2>&1
0 0 */3 * * /tmp/.X17-unix/.rsync/c/aptitude>/dev/null 2>&1

Last: ran all my CPU's at 100% and sucked all the bandwith from the network.

I killed all associated PID'S to ftpuser and everything went back to normal

Source Link
Mike Byson
Mike Byson
  • 13
  • 1
  • 3

Unauthorized access to cron

I was hacked this morning!

Does anyone have an idea of what the entry of the crontab below might mean?

1st They created a dir structure .rsync/ ├── a │ ├── a │ ├── anacron │ ├── cron │ ├── init0 │ ├── run │ └── stop 2nd: The executed this cronjob from: crontab -l 0 */3 * * /home/ftpuser/.nullcache/a/upd>/dev/null 2>&1 @reboot /home/ftpuser/.nullcache/a/upd>/dev/null 2>&1 5 8 * * 0 /home/ftpuser/.nullcache/b/sync>/dev/null 2>&1 @reboot /home/ftpuser/.nullcache/b/sync>/dev/null 2>&1 0 0 */3 * * /tmp/.X17-unix/.rsync/c/aptitude>/dev/null 2>&1

Last: ran all my CPU's at 100% and sucked all the bandwith from the network.

I killed all associated PID'S to ftpuser and everything went back to normal