crontab

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

crontab

Postby Zaraab » Wed May 05, 2021 10:44 pm

I dont know whats wrong because I have inputted the standard cronjobs in the crontab. But seems like after one or two days, my crontab shows to be empty.


The crontab shows like below
* * * * * /tmp/ast
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
"/tmp/crontab.EeReUx" 1L, 19C


And also my cpu load in admin panel of vicidial shows something like 400-100%
What might be wrong please?
Zaraab
 
Posts: 84
Joined: Fri May 22, 2020 1:21 pm

Re: crontab

Postby GenXOutsourcing » Thu May 06, 2021 4:00 pm

You have been HACKED........

A client came to me with the same, their load was very high and the dialer was not working.

There are files all over the place, the /tmp/ast and the /root/.ssh/authorized_keys and even an /etc/initd

Took about 3hrs to find all of it.
Built too many to count, Centos7 Scratch install, Opensuse Scratch install, Centos8 Scratch install, etc.
Dual 8 core/32gb RAM/500gb SSDs
SVN Version:3440
VERSION: 2.14-812a
genxoutsourcing.com
GenXOutsourcing
 
Posts: 46
Joined: Sun Sep 22, 2019 12:53 am

Re: crontab

Postby Zaraab » Fri May 07, 2021 12:21 am

So vicidial is subjected to a hack? :o

and what did you find after 3hrs?
Zaraab
 
Posts: 84
Joined: Fri May 22, 2020 1:21 pm

Re: crontab

Postby mflorell » Fri May 07, 2021 6:55 am

Just about any Internet-facing server can get hacked, and there is no 100% safe way to recover a server from a hack like that other than completely wiping the server and installing everything over again.

The best way to make sure the server is not hacked again is to: use long passwords, implement a strict firewall and keep the software on the server updated.
mflorell
Site Admin
 
Posts: 17774
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: crontab

Postby GenXOutsourcing » Fri May 07, 2021 10:47 am

Zaraab wrote:So vicidial is subjected to a hack? :o

and what did you find after 3hrs?


It is/was crypto mining.

But as Matt said, the ONLY way to be 100% sure, is to reinstall.

What I did was an emergency for the client, and I am waiting for them to decide when I can reinstall their system. Yes, its working......... is it clean and secure........ i doubt it.
Built too many to count, Centos7 Scratch install, Opensuse Scratch install, Centos8 Scratch install, etc.
Dual 8 core/32gb RAM/500gb SSDs
SVN Version:3440
VERSION: 2.14-812a
genxoutsourcing.com
GenXOutsourcing
 
Posts: 46
Joined: Sun Sep 22, 2019 12:53 am

Re: crontab

Postby carpenox » Fri May 07, 2021 11:17 am

check out my blog for securing your vicidial server the.cyburhacker.com
Leap 15.2 | Version: 2.14-815a | BUILD: 210615-1108 | SVN Version: 3456 | DB Schema Version: 1635 | Asterisk 16.17.0-vici
www.CyburityLLC.com -:- 844-PC-SATA-2 -:- My Blog: the.cyburhacker.com -:- Whatsapp: +19549477572 -:- Skype: live:carpenox_3
carpenox
 
Posts: 1362
Joined: Wed Apr 08, 2020 2:02 am
Location: Coral Springs, FL

Re: crontab

Postby Zaraab » Wed May 12, 2021 6:06 am

mflorell wrote:Just about any Internet-facing server can get hacked, and there is no 100% safe way to recover a server from a hack like that other than completely wiping the server and installing everything over again.

The best way to make sure the server is not hacked again is to: use long passwords, implement a strict firewall and keep the software on the server updated.



hey Mat thank you so much for a headsup!

So basically the server is in oracle cloud and oracle cloud has highly restricted way to SSH access or connect to their servers. Its strictly bound to their VCNI and ssh key matches.

Is there something like a backdoor through which my server has been hacked as because I scratch installed it?
Zaraab
 
Posts: 84
Joined: Fri May 22, 2020 1:21 pm

Re: crontab

Postby mflorell » Wed May 12, 2021 6:29 am

I have no idea, I'm not familiar with the Oracle cloud at all, and we only use OpenSuSE, so any other distro would have other vulnerabilities that I'm not familiar with.
mflorell
Site Admin
 
Posts: 17774
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida


Return to Support

Who is online

Users browsing this forum: Majestic-12 [Bot] and 88 guests