Page 1 of 1
crontab
Posted:
Wed May 05, 2021 10:44 pmby Zaraab
I dont know whats wrong because I have inputted the standard cronjobs in the crontab. But seems like after one or two days, my crontab shows to be empty.
The crontab shows like below
* * * * * /tmp/ast
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
"/tmp/crontab.EeReUx" 1L, 19C
And also my cpu load in admin panel of vicidial shows something like 400-100%
What might be wrong please?
Re: crontab
Posted:
Thu May 06, 2021 4:00 pmby GenXOutsourcing
You have been HACKED........
A client came to me with the same, their load was very high and the dialer was not working.
There are files all over the place, the /tmp/ast and the /root/.ssh/authorized_keys and even an /etc/initd
Took about 3hrs to find all of it.
Re: crontab
Posted:
Fri May 07, 2021 12:21 amby Zaraab
So vicidial is subjected to a hack?
and what did you find after 3hrs?
Re: crontab
Posted:
Fri May 07, 2021 6:55 amby mflorell
Just about any Internet-facing server can get hacked, and there is no 100% safe way to recover a server from a hack like that other than completely wiping the server and installing everything over again.
The best way to make sure the server is not hacked again is to: use long passwords, implement a strict firewall and keep the software on the server updated.
Re: crontab
Posted:
Fri May 07, 2021 10:47 amby GenXOutsourcing
Zaraab wrote:So vicidial is subjected to a hack?
and what did you find after 3hrs?
It is/was crypto mining.
But as Matt said, the ONLY way to be 100% sure, is to reinstall.
What I did was an emergency for the client, and I am waiting for them to decide when I can reinstall their system. Yes, its working......... is it clean and secure........ i doubt it.
Re: crontab
Posted:
Fri May 07, 2021 11:17 amby carpenox
check out my blog for securing your vicidial server the.cyburhacker.com
Re: crontab
Posted:
Wed May 12, 2021 6:06 amby Zaraab
mflorell wrote:Just about any Internet-facing server can get hacked, and there is no 100% safe way to recover a server from a hack like that other than completely wiping the server and installing everything over again.
The best way to make sure the server is not hacked again is to: use long passwords, implement a strict firewall and keep the software on the server updated.
hey Mat thank you so much for a headsup!
So basically the server is in oracle cloud and oracle cloud has highly restricted way to SSH access or connect to their servers. Its strictly bound to their VCNI and ssh key matches.
Is there something like a backdoor through which my server has been hacked as because I scratch installed it?
Re: crontab
Posted:
Wed May 12, 2021 6:29 amby mflorell
I have no idea, I'm not familiar with the Oracle cloud at all, and we only use OpenSuSE, so any other distro would have other vulnerabilities that I'm not familiar with.