#31 Scan cron for nasty jobs

main
pending
unSpawn
Rkhunter (37)
5
2013-11-30
2012-06-22
HighKing
No

It would be nice if rkhunter could scan for nasty jobs in /etc/cron.* and /var/spool/cron/*
We've found nasty stuff in user cronjobs on several occasions. Maybe check for jobs that try to access files like /etc/passwd or jobs that try to run something in /tmp.

Discussion

  • unSpawn

    unSpawn - 2012-06-24

    We've discussed this between developers but I don't see a check for this coming RSN. What you could do for now is inspect common cron job directories and users cron spools and then add them to your rkhunter.conf USER_FILEPROP_FILES_DIRS test. At least you will be notified when file contents change, allowing you to inspect them.

     
  • unSpawn

    unSpawn - 2012-06-24
    • assigned_to: nobody --> unspawn
    • status: open --> pending
     
  • John Horne

    John Horne - 2012-08-09

    RKH works mainly by looking for known rootkit files or suspicious looking files. In only a few tests does it actually look 'in' files. Checking cron jobs would require looking in the files for... what? We could check to see if a known rootkit file was being run, but then RKH should pick that up anyway (because the rootkit file exists).

    I think checking for things like accessing /etc/passwd or/tmp could give false-positives. It is not unreasonable for a sysadmin to check /etc/passwd with a cron job (given that the file doesn't contain passwords, just account names).

    I think we would need a much clearer definition of 'nasty jobs' before trying to implement anything.

     
  • Evil

    Evil - 2013-11-30

    If I may interject here; I work for a pretty large hosting company, and on a lot of client servers typically when an attacker using cron it is to maintain access so it would typically be a cron job to download and execute a script. A good way to implement this would be to add in a new config variable for whitelisting things like cpanel's cron jobs and then check for wgets to various domains. Typically the malicious users will have a wget running with * * *

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks