hunting trojans: does vmail user need its own crond??
robert rottermann
robert at redcor.ch
Tue Jun 9 06:29:41 UTC 2015
thanks Brandon,
On 09.06.2015 08:16, Brandon Vincent (Student) wrote:
> Robert,
>
> crond should not be running as any other account other than root. Can you identify the full path of the suspicious crond? For example, to find the full path of crond (running under the other user):
>
> [linus at ubuntu ~]# ps aux | grep [c]rond
> linus 1013 0.0 0.1 116864 1100 ? Ss Apr20 0:09 crond
>
> [linus at ubuntu ~]# readlink -f /proc/1013/exe
> /home/linus/.crond/crond
>
> Brandon Vincent
root at susanne /home/vmail # ps aux | grep cron
root 1249 0.0 0.0 23656 868 ? Ss 2014 2:10 cron
vmail 3336 0.0 0.0 812 216 ? Ss 2014 13:12 crond
root 6035 0.0 0.0 11716 892 pts/5 S+ 07:50 0:00 grep --color=auto
cron
That's actually how I found it.
Now, who did put it there ..?
What process is starting it?
robert
More information about the ubuntu-users
mailing list