hunting trojans: does vmail user need its own crond??

robert rottermann robert at redcor.ch
Tue Jun 9 06:29:41 UTC 2015


thanks Brandon,

On 09.06.2015 08:16, Brandon Vincent (Student) wrote:
> Robert,
>
> crond should not be running as any other account other than root. Can you identify the full path of the suspicious crond? For example, to find the full path of crond (running under the other user):
>
> [linus at ubuntu ~]# ps aux | grep [c]rond
> linus      1013  0.0  0.1 116864  1100 ?        Ss   Apr20   0:09 crond
>
> [linus at ubuntu ~]# readlink -f /proc/1013/exe
> /home/linus/.crond/crond
>
> Brandon Vincent

root at susanne /home/vmail # ps aux | grep cron
root      1249  0.0  0.0  23656   868 ?        Ss    2014 2:10 cron
vmail     3336  0.0  0.0    812   216 ?        Ss    2014 13:12 crond
root      6035  0.0  0.0  11716   892 pts/5    S+   07:50 0:00 grep --color=auto 
cron

That's actually how I found it.
Now, who did put it there ..?
What process is starting it?

robert



More information about the ubuntu-users mailing list