hunting trojans: does vmail user need its own crond??
Petter Adsen
petter at synth.no
Tue Jun 9 08:00:18 UTC 2015
On Tue, 09 Jun 2015 09:27:19 +0200
robert <robert at redcor.ch> wrote:
> On 09.06.2015 08:36, Brandon Vincent (Student) wrote:
> > Correction.
> >
> > That should be: pstree -H 3336
> >
> > Brandon Vincent
> thanks,
> the path is:
> /home/vmail/.cache/crond
>
> and the output from pstree:
> init-+-/usr/sbin/amavi---2*[/usr/sbin/amavi]
> |-/usr/sbin/postg
> |-/usr/sbin/spamd---2*[spamd child]
> |-acpid
> |-apache2---10*[apache2]
> |-atd
> |-clamd---{clamd}
> |-cron
> |-crond
> ...
>
> and I looked into that /home/vmail/.cache/ directory.
> This is for sure a trojan ..
>
> Now what do I do?
> is it enough to just remove it?
> It seems to be rather old (shame on me) ..
> Since 2012 (the date shown in the files in /home/vmail/.cache) I
> added tons of updates..
What is vmail, anyway? Is this a user you have added, or does it belong
to a package? I'm running dovecot, and I have no such thing. Nor can I
find anything that looks relevant with apt-file.
Either way, it should not be running a binary called 'crond'. Can you
give us the output of 'file /home/vmail/.cache/crond' and
'ldd /home/vmail/.cache/crond'?
If this is a trojan, disabling it might not be enough. There may be
other bits and pieces on your system, and the best thing would be a
reinstall from scratch, and being _very_ careful about what you keep.
Petter
--
"I'm ionized"
"Are you sure?"
"I'm positive."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20150609/553cf59f/attachment.sig>
More information about the ubuntu-users
mailing list