hunting trojans: does vmail user need its own crond??

robert robert at redcor.ch
Tue Jun 9 07:27:19 UTC 2015 

On 09.06.2015 08:36, Brandon Vincent (Student) wrote:
> Correction.
>
> That should be: pstree -H 3336
>
> Brandon Vincent
thanks,
the path is:
/home/vmail/.cache/crond

and the output from pstree:
init-+-/usr/sbin/amavi---2*[/usr/sbin/amavi]
      |-/usr/sbin/postg
      |-/usr/sbin/spamd---2*[spamd child]
      |-acpid
      |-apache2---10*[apache2]
      |-atd
      |-clamd---{clamd}
      |-cron
      |-crond
...

and I looked into that /home/vmail/.cache/ directory.
This is for sure a trojan ..

Now what do I do?
is it enough to just remove it?
It seems to be rather old (shame on me) ..
Since 2012 (the date shown in the files in /home/vmail/.cache) I added 
tons of updates..

robert

root at susanne ~ # cd /home/vmail/.cache/
root at susanne /home/vmail/.cache # ls -l
total 552
-rw-rw-r-- 1 vmail vmail    250 Jun  7 22:00 178.63.103.118.mif.user
-rw-rw-r-- 1 vmail vmail    250 Jun  8 00:00 178.63.103.119.mif.user
-rw-rw-r-- 1 vmail vmail    250 Jun  8 10:00 178.63.103.120.mif.user
-rw-rw-r-- 1 vmail vmail    250 Jun  5 13:00 178.63.103.72.mif.user
-rwxr-x--x 1 vmail vmail    321 Mar 30  2012 autorun
-rwxr-x--x 1 vmail vmail 493576 Dec 30  2002 crond
-rwxr-xr-x 1 vmail vmail   2946 Jul 23  2012 inst
-rw-rw-r-- 1 vmail vmail     52 Dec 17  2012 md.cron
-rw-rw-r-- 1 vmail vmail     19 Dec 17  2012 md.dir
-rw-rw-r-- 1 vmail vmail   1015 Jun  9 09:00 mech.levels
-rw------- 1 vmail vmail      5 Oct  5  2014 mech.pid
-rw-rw-r-- 1 vmail vmail    990 Jun  9 09:00 mech.session
-rw-rw-r-- 1 vmail vmail   2686 Dec 17  2012 mech.set
-rw-r--r-- 1 vmail vmail      0 Dec 17  2012 motd.legal-displayed
drwxr-x--x 2 vmail vmail   4096 Mar 30  2012 randfiles
-rwxr-x--x 1 vmail vmail     31 Dec 17  2010 run
-rwxr-xr-x 1 vmail vmail    632 Jul 23  2012 start
-rwxrw-r-- 1 vmail vmail    190 Dec 17  2012 update
-rw-rw-r-- 1 vmail vmail     59 Dec 17  2012 vhosts

root at susanne /home/vmail/.cache # ls -l randfiles/
total 84
-rw-r----- 1 vmail vmail    32 Apr  7  2012 randaway.e
-rw-r----- 1 vmail vmail  3982 Dec 30  2002 randinsult.e
-rw-r----- 1 vmail vmail   830 Dec 30  2002 randkicks.e
-rw-r----- 1 vmail vmail   519 Dec 30  2002 randnicks.e
-rw-r----- 1 vmail vmail  2495 Dec 30  2002 randpickup.e
-rw-r----- 1 vmail vmail 55316 Dec 30  2002 randsay.e
-rw-r----- 1 vmail vmail  3651 Dec 30  2002 randsignoff.e
-rw-r----- 1 vmail vmail  1465 Dec 30  2002 randversions.e

More information about the ubuntu-users mailing list