1

I was hacked this morning!

Does anyone have an idea of what the entry of the crontab below might mean?

1st They created a dir structure

.rsync/
├── a
│   ├── a
│   ├── anacron
│   ├── cron
│   ├── init0
│   ├── run
│   └── stop

2nd: The executed this cronjob from: crontab -l

0 */3 * * /home/ftpuser/.nullcache/a/upd>/dev/null 2>&1
@reboot /home/ftpuser/.nullcache/a/upd>/dev/null 2>&1
5 8 * * 0 /home/ftpuser/.nullcache/b/sync>/dev/null 2>&1
@reboot /home/ftpuser/.nullcache/b/sync>/dev/null 2>&1
0 0 */3 * * /tmp/.X17-unix/.rsync/c/aptitude>/dev/null 2>&1

Last: ran all my CPU's at 100% and sucked all the bandwith from the network.

I killed all associated PID'S to ftpuser and everything went back to normal

Gilles 'SO- stop being evil'
  • 829,060
Mike Byson
  • 13

1 Answers1

4

You have not solved the problem.

  1. What you found may only be the tip of the iceberg. There are many ways to hide malware. What you could see easily may well be designed to lull you into a false sense of security.
  2. Even if you managed to find all the malware, until you've found and plugged the hole it used to get in, it's likely to reappear.
  3. If you have other people's data (including but not limited to private identifying information such as email addresses, IP addresses, purchase histories, usage logs, etc.), you need to notify these people of the breach and let them know in what way their data may be compromised. It's not just a good idea, it's the law in many places.

You need to take the system down, investigate how the malware got in, and reinstall a clean copy from scratch.

For more information, see How do I deal with a compromised server?.

This does look like some fairly unsophisticated malware. It's in directories with vaguely plausible names:

  • ftpuser is a user that might concievably exist on some servers whose structure is stuck a decade or two ago. (Authenticated FTP should have been long replaced by SSH including SFTP. Anonymous FTP has been pretty much replaced by HTTP(s).)
  • .nullcache is hidden in some listings. “Nullcache” is a thing in various contexts; while I'm not aware of a tool that uses a .nullcache directory, it's just plausible enough not to look completely out of place in a directory listing.
  • aptitude is a system administration tool that wouldn't be out of place in a process listing (on distributions that use it, i.e. Debian and derivatives). sync is a standard utility, but one that doesn't normally run for long, so while it would be out of place in a process listing, it has a harmless look. upd is not a standard name, but it looks harmless because it looks like it's short for “update”.
  • anacron and cron are common tools and there are directories with this name on many systems (in /var/spool). init0 is close to init. A run exists in various places (/run, /var/run). stop is uncommon as a directory name, but again not completely out of place.
  • /tmp/.X17-unix is completely implausible, but is visually similar to /tmp/.X11-unix which exists on all systems running the X Window System (X11) which the standard Unix is based on, and many people wouldn't know that the number 11 is significant.

The cron jobs run various binaries in these vaguely plausible locations at boot time (@reboot), once a week (5 8 * * 0) or roughly every three days (0 0 */3 * *).

Gilles 'SO- stop being evil'
  • 829,060
  • 1
    Thanks for your reply Gilles. I actually created the ftpuser for test purposes. I found in /var/log/auth.log That the week passwd I created for said user was accepted at 04:10 from an IP in Finland(Most likely spoofed). I then installed fail2ban, and configured strict policies that block bad actors after limited attempts. The server is just for me to play around on. there is no one to notify. – Mike Byson Sep 17 '19 at 22:09