hunting trojans: does vmail user need its own crond??

Brandon Vincent (Student) Brandon.Vincent at asu.edu
Tue Jun 9 06:16:51 UTC 2015


Robert,

crond should not be running as any other account other than root. Can you identify the full path of the suspicious crond? For example, to find the full path of crond (running under the other user):

[linus at ubuntu ~]# ps aux | grep [c]rond
linus      1013  0.0  0.1 116864  1100 ?        Ss   Apr20   0:09 crond

[linus at ubuntu ~]# readlink -f /proc/1013/exe
/home/linus/.crond/crond

Brandon Vincent





More information about the ubuntu-users mailing list