0

I have recently found a lot of brute force SSH attempts on my server. As a result of that, I have changed the port of my server and put a few firewalls in place to make it harder for my server to be brute forced.

As my server was open to the world for almost a year before then, I'm not sure whether there were any successful brute force attempts, and I'm concerned about potential Malware on my computer.

To that end, one of the things I'm doing is looking through my cron folders under /etc. Should I be worried about potential Malware changing the cron files of valid programs like apache2 or php? Or do the cron scripts get overwritten and updated when I update the program?

It will make my job a lot easier if they update themselves. Then, I would just need to look out for files in my cron folders that have suspicious names.

John Doe
  • 231
  • 2
    Hard to tell. Think of me as a mean attacker: I could simply overwrite your apache cronjobs or put a file named dns there which wouldn't look suspicious (given its name). Maybe read Is there a Ubuntu sanity check? or Can dpkg verify files from an installed package? to learn how to verify packages. Usually this doesn't work for config files, though. And there are systemd timer objects as well, that could do harm. Compared to cronjobs they are same, same, but different. – PerlDuck Aug 12 '18 at 14:14
  • @PerlDuck Thanks for your response. I found it informative. If my apache cronjobs are edited by Malware and then apache gets updated by aptitude, does apache overwrite the Malware'd cron file with its own updated one? – John Doe Aug 13 '18 at 02:54

0 Answers0