1

My git crontab was empty.

Today I see it is set to this. I have no idea what it is doing

1 1 */2 * * /home/git/.configrc/a/upd>/dev/null 2>&1
@reboot /home/git/.configrc/a/upd>/dev/null 2>&1
5 8 * * 0 /home/git/.configrc/b/sync>/dev/null 2>&1
@reboot /home/git/.configrc/b/sync>/dev/null 2>&1  
0 0 */3 * * /tmp/.X25-unix/.rsync/c/aptitude>/dev/null 2>&1

SSH access is by key only but somehow someone got in, set this crontab, and cleared the git authorized keys file to contain only their key.

<keydata> mdrfckr
  • I have set the firewall to deny SSH
  • set a non-standard port
  • cleared the crontab
  • removed the /home/git/.configrc directory
  • rebooted
  • checked for /tmp/.X25-unix directory but did not find it.

What has happened? What else should I do?

Stephen Boston
  • 3,944
  • 4
    Wipe the compromised system and reinstall. You have no idea what back-doors they have hidden. – user535733 Jun 23 '20 at 23:02
  • @user535733 What about other hosts on the same LAN? – Stephen Boston Jun 23 '20 at 23:07
  • 1
    Were it my LAN, I would look for evidence of intrusion on the other machines. Really, is there another answer? As Bart Simpson said in Season 10, "The explosion that failed to kill me surely must have killed the giant!" – user535733 Jun 23 '20 at 23:35
  • @user535733 Sure thanks. How could I look. It doesn't look from the crontab or the files placed in the .configrc that they acquired root. The git user has limited privs on that server. I wonder if it's necessary to have user git. I've never liked that. Something to look into. Thanks for the help. – Stephen Boston Jun 23 '20 at 23:42
  • See https://askubuntu.com/questions/1118932/kswapd0-taking-100-cpu-time-on-ubuntu-18-04 – Zanna Aug 10 '21 at 13:35

0 Answers0