hunting trojans: does vmail user need its own crond??

iceblink iceblink at seti.nl
Tue Jun 9 08:11:36 UTC 2015


On 2015-06-09 09:27, robert wrote:
> On 09.06.2015 08:36, Brandon Vincent (Student) wrote:
>> Correction.
>> 
>> That should be: pstree -H 3336
>> 
>> Brandon Vincent
> thanks,
> the path is:
> /home/vmail/.cache/crond
> 
> and the output from pstree:
> init-+-/usr/sbin/amavi---2*[/usr/sbin/amavi]
>      |-/usr/sbin/postg
>      |-/usr/sbin/spamd---2*[spamd child]
>      |-acpid
>      |-apache2---10*[apache2]
>      |-atd
>      |-clamd---{clamd}
>      |-cron
>      |-crond
> ...
> 
> and I looked into that /home/vmail/.cache/ directory.
> This is for sure a trojan ..
> 
> Now what do I do?
> is it enough to just remove it?
> It seems to be rather old (shame on me) ..
> Since 2012 (the date shown in the files in /home/vmail/.cache) I added
> tons of updates..
> 
> robert

Removing it is probably enough to stop your machine acting as a spam 
generator.
However there may be more malware or backdoors on your machine that you 
are not aware of.
To make sure that all of these are gone, you need to fully re-install 
your system.
That would be my recommendation.

If you feel it would be too much work to reinstall everything, and you 
like to gamble, you can take a chance and only remove the malware you 
found now.

Best regards,
Patrick




More information about the ubuntu-users mailing list