malicious cron generated every minute

Discussion in 'General' started by johnymas, Aug 2, 2022.

  1. johnymas

    johnymas Member

    Hi, how to find where a malicious cron is generated every minute?
     

    Attached Files:

    • cron.jpg
      cron.jpg
      File size:
      596.3 KB
      Views:
      19
    johnymas, Aug 2, 2022
    #1
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You could say what operating system this is on.
    Try
    Code:
    crontab -l -u web81
    If that does not help, see what crontab files are there. On my OS I use
    Code:
    ls -lh /var/spool/cron/crontabs/
     
    Taleman, Aug 3, 2022
    #2
  3. johnymas

    johnymas Member

    Thank you very much for the help I found the file. I removed the malicious file.
     

    Attached Files:

    johnymas, Aug 3, 2022
    #3
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Remember to check for security issues, the perpetrator managed to add that crontab file somehow. If that security issue is not fixed, perpetrator just adds that crontab back.
     
    Taleman, Aug 3, 2022
    #4
  5. johnymas

    johnymas Member

    Can you please tell me what or how is the best way to check it?
    I found some malicious code on web81 using wordfence security so I deleted the complete code on the web page.
     
    johnymas, Aug 3, 2022
    #5
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    You can e.g. use ISPProtect and let it scan the whole /var/www directory. The first scan can be used for free by using the license code "trial".
     
    till, Aug 3, 2022
    #6
  7. johnymas

    johnymas Member

    Thanks, I will try it...
    It seems like a good malware software scanner.
     
    johnymas, Aug 3, 2022
    #7

Share This Page