hunting trojans: does vmail user need its own crond??
petter at synth.no
Tue Jun 9 08:00:18 UTC 2015
On Tue, 09 Jun 2015 09:27:19 +0200
robert <robert at redcor.ch> wrote:
> On 09.06.2015 08:36, Brandon Vincent (Student) wrote:
> > Correction.
> > That should be: pstree -H 3336
> > Brandon Vincent
> the path is:
> and the output from pstree:
> |-/usr/sbin/spamd---2*[spamd child]
> and I looked into that /home/vmail/.cache/ directory.
> This is for sure a trojan ..
> Now what do I do?
> is it enough to just remove it?
> It seems to be rather old (shame on me) ..
> Since 2012 (the date shown in the files in /home/vmail/.cache) I
> added tons of updates..
What is vmail, anyway? Is this a user you have added, or does it belong
to a package? I'm running dovecot, and I have no such thing. Nor can I
find anything that looks relevant with apt-file.
Either way, it should not be running a binary called 'crond'. Can you
give us the output of 'file /home/vmail/.cache/crond' and
If this is a trojan, disabling it might not be enough. There may be
other bits and pieces on your system, and the best thing would be a
reinstall from scratch, and being _very_ careful about what you keep.
"Are you sure?"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 213 bytes
Desc: OpenPGP digital signature
More information about the ubuntu-users