0

I am working on Ubuntu remote server. I deleted automatic cron jobs from my server, but it recovered automatically after some days and occupy my 50% CPU. I attached cron job file from my server here (this is created by some one). Please guide me in this regards.

###########
0 0 */3 * * /tmp/.X19-unix/.rsync/a/upd>/dev/null 2>&1
5 8 * * 0 /tmp/.X19-unix/.rsync/b/sync>/dev/null 2>&1
@reboot /tmp/.X19-unix/.rsync/b/sync>/dev/null 2>&1
0 0 */3 * * /tmp/.X19-unix/.rsync/c/aptitude>/dev/null 2>&1
#############################################################
αғsнιη
  • 40,939
  • 15
  • 71
  • 114
NN_MET
  • 1
  • 3
    I googled "rsync aptitude" to see if rsync self-installed a server start, and my top hit was a Ubuntu forum thread on crypto-mining malware in Ubuntu. – Paul_Pedant Jan 27 '20 at 10:19
  • Yep, this looks like the same hack as in [Unauthorized access to cron](https://unix.stackexchange.com/questions/542333/unauthorized-access-to-cron). – Freddy Jan 27 '20 at 10:33

1 Answers1

0

The security paper on Medium We finally learn what hacker Rosey wants explain how the crypto-miner malware work, the root cause is a weak root password. see How do I deal with a compromised server? on ServerFault.

Related:

AskUbuntu: crond64/tsm virus in Ubuntu

U&L: Suspicious crontab entry running 'xribfa4' every 15 minutes

Paulo Tomé
  • 3,754
  • 6
  • 26
  • 38
GAD3R
  • 63,407
  • 31
  • 131
  • 192