Rabu, 17 Desember 2014

Bristol Digest, Vol 581, Issue 3

Send Bristol mailing list submissions to
bristol@mailman.lug.org.uk

To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.lug.org.uk/mailman/listinfo/bristol
or, via email, send a message with subject or body 'help' to
bristol-request@mailman.lug.org.uk

You can reach the person managing the list at
bristol-owner@mailman.lug.org.uk

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bristol digest..."


Today's Topics:

1. Re: Extra cron process (nick robinson)
2. Re: Extra cron process (Martin Moore)
3. Re: Extra cron process (Shane McEwan)


----------------------------------------------------------------------

Message: 1
Date: Wed, 17 Dec 2014 08:12:45 +0000
From: nick robinson <nick@njrobinson.net>
To: Martin Moore <martinm@it-helps.co.uk>, Bristol and Bath Linux
User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Extra cron process
Message-ID:
<CADo8qK4JA50Mk2TmmH0OjEFckSnc21KwyJm2rrpLQ10ou83nhw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

they are normally kept in

/var/spool/cron/tabs

if you use stat on the file it should give you the create/modify date

On 16 December 2014 at 19:01, Martin Moore <martinm@it-helps.co.uk> wrote:
>
> Bottom line is that I didn?t think there was a cron for www-data!
>
>
>
> That?s why I?m concerned.
>
>
>
> OK, contents of www-data cron :
>
>
>
> * * * * * /tmp/update >/dev/null 2>&1
>
>
>
>
>
> There is no file /tmp/update
>
>
>
> Even more concerned now!
>
>
>
> Can I get the date the cron file was created?
>
>
>
> Martin.
>
>
>
>
>
> *From:* Max B [mailto:psykx.out@gmail.com]
> *Sent:* 16 December 2014 18:52
> *To:* Martin Moore; Bristol and Bath Linux User Group
> *Subject:* Re: [bristol] Extra cron process
>
>
>
> what was it running? whats in your cron tab?
>
>
>
> We'd need to know more about the server.
>
>
>
> Max B
>
>
>
> On 16 December 2014 at 19:11, Martin Moore <martinm@it-helps.co.uk> wrote:
>
> I had a nagios warning of more than 1 cron running on Debian.
>
>
>
> Had a look and there was an extra one running as www-data which I?ve
> killed. Could someone have got in via http?
>
>
>
> Should I be worried?
>
>
>
> Martin.
>
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
> ------------------------------
>
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 2015.0.5577 / Virus Database: 4235/8727 - Release Date: 12/13/14
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20141217/9f813fc1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 92 bytes
Desc: not available
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20141217/9f813fc1/attachment-0001.gif>

------------------------------

Message: 2
Date: Wed, 17 Dec 2014 08:26:04 -0000
From: "Martin Moore" <martinm@it-helps.co.uk>
To: "'Bristol and Bath Linux User Group'" <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Extra cron process
Message-ID:
<!&!AAAAAAAAAAAYAAAAAAAAAFLxZtQqo65Oo+1jhlUB9DvCgAAAEAAAANiofKhTdWNKuZCg5FF53bQBAAAAAA==@it-helps.co.uk>

Content-Type: text/plain; charset="us-ascii"

>running php
Yes

>are the permissions any of your files in your webroot 777 ?
No :)


-----Original Message-----
From: bristol-bounces@mailman.lug.org.uk
[mailto:bristol-bounces@mailman.lug.org.uk] On Behalf Of ross
Sent: 17 December 2014 01:32
To: martinm@it-helps.co.uk; Bristol and Bath Linux User Group
Subject: Re: [bristol] Extra cron process


are you running php and are the permissions any of your files in your
webroot 777 ?

a quick google search reveals that this may be a common trojan attack

I'd isolate the box and strip it down to find out what's been compromised.


Sent using Hushmail

On Tue, 16 Dec 2014 18:11:57 +0000 "Martin Moore" <martinm@it-
helps.co.uk> wrote:
>I had a nagios warning of more than 1 cron running on Debian.
>
>
>
>Had a look and there was an extra one running as www-data which
>I've killed.
>Could someone have got in via http?
>
>
>
>Should I be worried?
>
>
>
>Martin.


_______________________________________________
Bristol mailing list
Bristol@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/bristol
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2015.0.5577 / Virus Database: 4235/8727 - Release Date: 12/13/14




------------------------------

Message: 3
Date: Wed, 17 Dec 2014 10:14:20 +0000
From: Shane McEwan <shane@mcewan.id.au>
To: bristol@mailman.lug.org.uk
Subject: Re: [bristol] Extra cron process
Message-ID: <5491577C.1060401@mcewan.id.au>
Content-Type: text/plain; charset=utf-8

That looks very suspicious!

'stat /var/spool/cron/crontabs/www-data' should tell you when the file
was created. The "Change" time is the closest you can get to a create
time although that time is updated if the file is chmodded or chowned.

The /tmp directory is usually wiped out when the machine is rebooted so
if /tmp/update doesn't exist then it means the crontab was probably
created before the last reboot of the machine.

Either way, it looks to me like you've been hacked. :-(

Backup your important files, wipe the disk and reinstall. It's the only
way to be sure.

Shane.

On 16/12/14 19:01, Martin Moore wrote:
> Bottom line is that I didn?t think there was a cron for www-data!
>
>
>
> That?s why I?m concerned.
>
>
>
> OK, contents of www-data cron :
>
>
>
> * * * * * /tmp/update >/dev/null 2>&1
>
>
>
>
>
> There is no file /tmp/update
>
>
>
> Even more concerned now!
>
>
>
> Can I get the date the cron file was created?
>
>
>
> Martin.
>
>
>
>
>
> *From:*Max B [mailto:psykx.out@gmail.com]
> *Sent:* 16 December 2014 18:52
> *To:* Martin Moore; Bristol and Bath Linux User Group
> *Subject:* Re: [bristol] Extra cron process
>
>
>
> what was it running? whats in your cron tab?
>
>
>
> We'd need to know more about the server.
>
>
>
> Max B
>
>
>
> On 16 December 2014 at 19:11, Martin Moore <martinm@it-helps.co.uk
> <mailto:martinm@it-helps.co.uk>> wrote:
>
> I had a nagios warning of more than 1 cron running on Debian.
>
>
>
> Had a look and there was an extra one running as www-data which I?ve
> killed. Could someone have got in via http?
>
>
>
> Should I be worried?
>
>
>
> Martin.
>
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk <mailto:Bristol@mailman.lug.org.uk>
> https://mailman.lug.org.uk/mailman/listinfo/bristol
>
> ------------------------------------------------------------------------
>
> No virus found in this message.
> Checked by AVG - www.avg.com <http://www.avg.com>
> Version: 2015.0.5577 / Virus Database: 4235/8727 - Release Date: 12/13/14
>
>
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
>



------------------------------

_______________________________________________
Bristol mailing list
Bristol@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/bristol

End of Bristol Digest, Vol 581, Issue 3
***************************************
Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)