Send Bristol mailing list submissions to
bristol@mailman.lug.org.uk
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.lug.org.uk/mailman/listinfo/bristol
or, via email, send a message with subject or body 'help' to
bristol-request@mailman.lug.org.uk
You can reach the person managing the list at
bristol-owner@mailman.lug.org.uk
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bristol digest..."
Today's Topics:
1. Extra cron process (Martin Moore)
2. Re: Extra cron process (Max B)
3. Re: Extra cron process (Martin Moore)
4. Re: Extra cron process (ross)
----------------------------------------------------------------------
Message: 1
Date: Tue, 16 Dec 2014 18:11:38 -0000
From: "Martin Moore" <martinm@it-helps.co.uk>
To: "'Bristol and Bath Linux User Group'" <bristol@mailman.lug.org.uk>
Subject: [bristol] Extra cron process
Message-ID:
<!&!AAAAAAAAAAAYAAAAAAAAAFLxZtQqo65Oo+1jhlUB9DvCgAAAEAAAAHL7jK9uwMxGpklSPjMbJRQBAAAAAA==@it-helps.co.uk>
Content-Type: text/plain; charset="us-ascii"
I had a nagios warning of more than 1 cron running on Debian.
Had a look and there was an extra one running as www-data which I've killed.
Could someone have got in via http?
Should I be worried?
Martin.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20141216/18827cba/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 92 bytes
Desc: not available
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20141216/18827cba/attachment-0001.gif>
------------------------------
Message: 2
Date: Tue, 16 Dec 2014 19:51:44 +0100
From: Max B <psykx.out@gmail.com>
To: Martin Moore <martinm@it-helps.co.uk>, Bristol and Bath Linux
User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Extra cron process
Message-ID:
<CALe8LgFB2BugYEtVb6Qi1uyEYzMxRi+gkFAJYGTirOithGM=rg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
what was it running? whats in your cron tab?
We'd need to know more about the server.
Max B
On 16 December 2014 at 19:11, Martin Moore <martinm@it-helps.co.uk> wrote:
>
> I had a nagios warning of more than 1 cron running on Debian.
>
>
>
> Had a look and there was an extra one running as www-data which I?ve
> killed. Could someone have got in via http?
>
>
>
> Should I be worried?
>
>
>
> Martin.
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20141216/4d70cc51/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 92 bytes
Desc: not available
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20141216/4d70cc51/attachment-0001.gif>
------------------------------
Message: 3
Date: Tue, 16 Dec 2014 19:01:30 -0000
From: "Martin Moore" <martinm@it-helps.co.uk>
To: "'Max B'" <psykx.out@gmail.com>, "'Bristol and Bath Linux User
Group'" <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Extra cron process
Message-ID:
<!&!AAAAAAAAAAAYAAAAAAAAAFLxZtQqo65Oo+1jhlUB9DvCgAAAEAAAAMtS8FBnWqxEmX+BTEM2qYsBAAAAAA==@it-helps.co.uk>
Content-Type: text/plain; charset="utf-8"
Bottom line is that I didn?t think there was a cron for www-data!
That?s why I?m concerned.
OK, contents of www-data cron :
* * * * * /tmp/update >/dev/null 2>&1
There is no file /tmp/update
Even more concerned now!
Can I get the date the cron file was created?
Martin.
From: Max B [mailto:psykx.out@gmail.com]
Sent: 16 December 2014 18:52
To: Martin Moore; Bristol and Bath Linux User Group
Subject: Re: [bristol] Extra cron process
what was it running? whats in your cron tab?
We'd need to know more about the server.
Max B
On 16 December 2014 at 19:11, Martin Moore <martinm@it-helps.co.uk> wrote:
I had a nagios warning of more than 1 cron running on Debian.
Had a look and there was an extra one running as www-data which I?ve killed. Could someone have got in via http?
Should I be worried?
Martin.
_______________________________________________
Bristol mailing list
Bristol@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/bristol
_____
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2015.0.5577 / Virus Database: 4235/8727 - Release Date: 12/13/14
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20141216/7ee46dae/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 92 bytes
Desc: not available
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20141216/7ee46dae/attachment-0001.gif>
------------------------------
Message: 4
Date: Wed, 17 Dec 2014 01:32:12 +0000
From: "ross" <archcraft@hushmail.com>
To: martinm@it-helps.co.uk, "Bristol and Bath Linux User Group"
<bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Extra cron process
Message-ID: <20141217013212.62216205E8@smtp.hushmail.com>
Content-Type: text/plain; charset="UTF-8"
are you running php and are the permissions any of your files in
your webroot 777 ?
a quick google search reveals that this may be a common trojan
attack
I'd isolate the box and strip it down to find out what's been
compromised.
Sent using Hushmail
On Tue, 16 Dec 2014 18:11:57 +0000 "Martin Moore" <martinm@it-
helps.co.uk> wrote:
>I had a nagios warning of more than 1 cron running on Debian.
>
>
>
>Had a look and there was an extra one running as www-data which
>I've killed.
>Could someone have got in via http?
>
>
>
>Should I be worried?
>
>
>
>Martin.
------------------------------
_______________________________________________
Bristol mailing list
Bristol@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/bristol
End of Bristol Digest, Vol 581, Issue 2
***************************************
Tidak ada komentar:
Posting Komentar