hunting trojans: does vmail user need its own crond??
iceblink
iceblink at seti.nl
Tue Jun 9 08:11:36 UTC 2015
On 2015-06-09 09:27, robert wrote:
> On 09.06.2015 08:36, Brandon Vincent (Student) wrote:
>> Correction.
>>
>> That should be: pstree -H 3336
>>
>> Brandon Vincent
> thanks,
> the path is:
> /home/vmail/.cache/crond
>
> and the output from pstree:
> init-+-/usr/sbin/amavi---2*[/usr/sbin/amavi]
> |-/usr/sbin/postg
> |-/usr/sbin/spamd---2*[spamd child]
> |-acpid
> |-apache2---10*[apache2]
> |-atd
> |-clamd---{clamd}
> |-cron
> |-crond
> ...
>
> and I looked into that /home/vmail/.cache/ directory.
> This is for sure a trojan ..
>
> Now what do I do?
> is it enough to just remove it?
> It seems to be rather old (shame on me) ..
> Since 2012 (the date shown in the files in /home/vmail/.cache) I added
> tons of updates..
>
> robert
Removing it is probably enough to stop your machine acting as a spam
generator.
However there may be more malware or backdoors on your machine that you
are not aware of.
To make sure that all of these are gone, you need to fully re-install
your system.
That would be my recommendation.
If you feel it would be too much work to reinstall everything, and you
like to gamble, you can take a chance and only remove the malware you
found now.
Best regards,
Patrick
More information about the ubuntu-users
mailing list