hunting trojans: does vmail user need its own crond??

Petter Adsen petter at synth.no
Tue Jun 9 08:00:18 UTC 2015


On Tue, 09 Jun 2015 09:27:19 +0200
robert <robert at redcor.ch> wrote:

> On 09.06.2015 08:36, Brandon Vincent (Student) wrote:
> > Correction.
> >
> > That should be: pstree -H 3336
> >
> > Brandon Vincent
> thanks,
> the path is:
> /home/vmail/.cache/crond
> 
> and the output from pstree:
> init-+-/usr/sbin/amavi---2*[/usr/sbin/amavi]
>       |-/usr/sbin/postg
>       |-/usr/sbin/spamd---2*[spamd child]
>       |-acpid
>       |-apache2---10*[apache2]
>       |-atd
>       |-clamd---{clamd}
>       |-cron
>       |-crond
> ...
> 
> and I looked into that /home/vmail/.cache/ directory.
> This is for sure a trojan ..
> 
> Now what do I do?
> is it enough to just remove it?
> It seems to be rather old (shame on me) ..
> Since 2012 (the date shown in the files in /home/vmail/.cache) I
> added tons of updates..

What is vmail, anyway? Is this a user you have added, or does it belong
to a package? I'm running dovecot, and I have no such thing. Nor can I
find anything that looks relevant with apt-file.

Either way, it should not be running a binary called 'crond'. Can you
give us the output of 'file /home/vmail/.cache/crond' and
'ldd /home/vmail/.cache/crond'?

If this is a trojan, disabling it might not be enough. There may be
other bits and pieces on your system, and the best thing would be a
reinstall from scratch, and being _very_ careful about what you keep.

Petter

-- 
"I'm ionized"
"Are you sure?"
"I'm positive."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20150609/553cf59f/attachment.pgp>


More information about the ubuntu-users mailing list