IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Security Forum / And now a cron exploit?
Post #422,004
by drook
Picture of drook
1/2/18 3:39:23 PM
1/2/18 3:39:23 PM
Reply
New And now a cron exploit?
On the day it was hacked, once per hour for 12 hours I got an email from my crontab with a huge list of spam links. I don't see anything amiss in the crontab now. Any ideas what this was attempting to do? Or actually did?
--

Drew
Post #422,005
by crazy
1/2/18 3:53:47 PM
1/2/18 3:53:47 PM
Reply
New Review at jobs as well
Post #422,011
by scoenye
1/2/18 9:15:49 PM
1/2/18 9:15:49 PM
Reply
New Other account's crontab?
The collection lives at /var/spool/cron/crontab (or .../crontabs)

One of the system logs should contain a trace of the jobs that were executed, as well as the user account that executed the job. The exact file is up to the configuration of the OS. (Most likely, either a dedicated cron log, or syslog. The service can show up as cron or CRON, so "grep -i" is needed to find them all.)
Post #422,012
by boxley
1/2/18 9:22:39 PM
1/2/18 9:22:39 PM
Reply
New also note /etc/cron.daily cron.weekly cron.motnly and cron.hourly
"Science is the belief in the ignorance of the experts" – Richard Feynman
     How do I research a hack tool? - (drook) - (9) - Dec. 30, 2017, 01:53:08 PM EST
         Dunno. Contact your computing appliance vendor? - (Another Scott) - (1) - Dec. 30, 2017, 02:07:44 PM EST
             Yeah, Dreamhost noticed it about 5 hours before I did - (drook) - Dec. 30, 2017, 02:50:04 PM EST
         bunch of them out there, also try sans.org thought I saw an article on last mailing -NT - (boxley) - Dec. 30, 2017, 06:23:30 PM EST
         Start with the web server logs - (scoenye) - (1) - Dec. 31, 2017, 12:47:31 PM EST
             thanks for the tip downloaded kali linux -NT - (boxley) - Dec. 31, 2017, 04:05:36 PM EST
         And now a cron exploit? - (drook) - (3) - Jan. 2, 2018, 03:39:23 PM EST
             Review at jobs as well -NT - (crazy) - Jan. 2, 2018, 03:53:47 PM EST
             Other account's crontab? - (scoenye) - (1) - Jan. 2, 2018, 09:15:49 PM EST
                 also note /etc/cron.daily cron.weekly cron.motnly and cron.hourly -NT - (boxley) - Jan. 2, 2018, 09:22:39 PM EST

Our Internal Subterfuge is up 80%! Good Job, way to go!
77 ms