1

My git crontab was empty.

Today I see it is set to this. I have no idea what it is doing

1 1 */2 * * /home/git/.configrc/a/upd>/dev/null 2>&1
@reboot /home/git/.configrc/a/upd>/dev/null 2>&1
5 8 * * 0 /home/git/.configrc/b/sync>/dev/null 2>&1
@reboot /home/git/.configrc/b/sync>/dev/null 2>&1  
0 0 */3 * * /tmp/.X25-unix/.rsync/c/aptitude>/dev/null 2>&1

SSH access is by key only but somehow someone got in, set this crontab, and cleared the git authorized keys file to contain only their key.

<keydata> mdrfckr
  • I have set the firewall to deny SSH
  • set a non-standard port
  • cleared the crontab
  • removed the /home/git/.configrc directory
  • rebooted
  • checked for /tmp/.X25-unix directory but did not find it.

What has happened? What else should I do?

Stephen Boston
  • 3,814
  • 7
  • 39
  • 75
  • 4
    Wipe the compromised system and reinstall. You have no idea what back-doors they have hidden. – user535733 Jun 23 '20 at 23:02
  • @user535733 What about other hosts on the same LAN? – Stephen Boston Jun 23 '20 at 23:07
  • 1
    Were it my LAN, I would look for evidence of intrusion on the other machines. Really, is there another answer? As Bart Simpson said in Season 10, "*The explosion that failed to kill me surely must have killed the giant!*" – user535733 Jun 23 '20 at 23:35
  • @user535733 Sure thanks. How could I look. It doesn't look from the crontab or the files placed in the `.configrc` that they acquired root. The `git` user has limited privs on that server. I wonder if it's necessary to have user `git`. I've never liked that. Something to look into. Thanks for the help. – Stephen Boston Jun 23 '20 at 23:42
  • See https://askubuntu.com/questions/1118932/kswapd0-taking-100-cpu-time-on-ubuntu-18-04 – Zanna Aug 10 '21 at 13:35

0 Answers0