Há crontab pode ser um malware

Question

Há crontab pode ser um malware

#1 resposta do Patrick Mevzek (0 votos)

0

Eu preciso de uma ajuda para explicar e resolver sobre log meu servidor, syslog sempre gravar o log

CRON[8944]: (ftpuser) CMD (/home/ftpuser/.profiles/y >/dev/null 2>&1)

embora eu tenha excluído o usuário ftpuser e o usuário do diretório inicial.

Oct 14 09:32:01 sarirotidbdr CRON[8944]: (ftpuser) CMD (/home/ftpuser/.profiles/y >/dev/null 2>&1)
Oct 14 09:32:04 sarirotidbdr SQLAnywhere(nicsecondaryserver): Connection terminated abnormally
Oct 14 09:32:04 sarirotidbdr SQLAnywhere(nicsecondaryserver): Disconnected TCPIP client's AppInfo: HOST=sarirotiappdr
Oct 14 09:32:04 sarirotidbdr SQLAnywhere(nicsecondaryserver): Connection terminated abnormally
Oct 14 09:32:04 sarirotidbdr SQLAnywhere(nicsecondaryserver): Disconnected TCPIP client's AppInfo: HOST=sarirotiappdr
Oct 14 09:32:23 sarirotidbdr SQLAnywhere(nicsecondaryserver): Connection terminated abnormally
Oct 14 09:32:23 sarirotidbdr SQLAnywhere(nicsecondaryserver): Disconnected TCPIP client's AppInfo: HOST=sarirotiappdr
Oct 14 09:32:49 sarirotidbdr SQLAnywhere(nicsecondaryserver): Connection terminated abnormally
Oct 14 09:32:49 sarirotidbdr SQLAnywhere(nicsecondaryserver): Disconnected TCPIP client's AppInfo: HOST=sarirotiappdr
Oct 14 09:32:49 sarirotidbdr SQLAnywhere(nicsecondaryserver): Connection terminated abnormally
Oct 14 09:32:49 sarirotidbdr SQLAnywhere(nicsecondaryserver): Disconnected TCPIP client's AppInfo: HOST=sarirotiappdr
Oct 14 09:33:01 sarirotidbdr CRON[11192]: (ftpuser) CMD (/home/ftpuser/.profiles/y >/dev/null 2>&1)
Oct 14 09:33:32 sarirotidbdr SQLAnywhere(nicsecondaryserver): Connection terminated abnormally
Oct 14 09:33:32 sarirotidbdr SQLAnywhere(nicsecondaryserver): Disconnected TCPIP client's AppInfo: HOST=sarirotiappdr
Oct 14 09:33:44 sarirotidbdr SQLAnywhere(nicsecondaryserver): Connection terminated abnormally
Oct 14 09:33:44 sarirotidbdr SQLAnywhere(nicsecondaryserver): Disconnected TCPIP client's AppInfo: HOST=sarirotiappdr
Oct 14 09:33:44 sarirotidbdr SQLAnywhere(nicsecondaryserver): Connection terminated abnormally
Oct 14 09:33:44 sarirotidbdr SQLAnywhere(nicsecondaryserver): Disconnected TCPIP client's AppInfo: HOST=sarirotiappdr
Oct 14 09:34:01 sarirotidbdr CRON[11228]: (ftpuser) CMD (/home/ftpuser/.profiles/y >/dev/null 2>&1)
Oct 14 09:34:20 sarirotidbdr SQLAnywhere(nicsecondaryserver): Connection terminated abnormally
Oct 14 09:34:20 sarirotidbdr SQLAnywhere(nicsecondaryserver): Disconnected TCPIP client's AppInfo: HOST=sarirotiappdr
Oct 14 09:34:48 sarirotidbdr SQLAnywhere(nicsecondaryserver): Connection terminated abnormally
Oct 14 09:34:48 sarirotidbdr SQLAnywhere(nicsecondaryserver): Disconnected TCPIP client's AppInfo: HOST=sarirotiappdr
Oct 14 09:34:48 sarirotidbdr SQLAnywhere(nicsecondaryserver): Connection terminated abnormally
Oct 14 09:34:48 sarirotidbdr SQLAnywhere(nicsecondaryserver): Disconnected TCPIP client's AppInfo: HOST=sarirotiappdr
Oct 14 09:35:01 sarirotidbdr CRON[11258]: (ftpuser) CMD (/home/ftpuser/.profiles/y >/dev/null 2>&1)

por Safuwan 14.10.2016 / 06:10

1 resposta

kylin.sh command Servidor DNS Bind9, deseja mapear o IP do host com a porta para o nome do host

score 0 · Answer 1

Você ainda tem alguns cron jobs fazendo esse comando. Dê uma olhada em crontab -l -u root e arquivos em /var/spool/cron/ .

Se você acredita que sua máquina foi comprometida, a única solução sensata seria reinstalar tudo do zero e de backups bons e não infectados conhecidos.