Results 1 to 2 of 2

Thread: git account infected with intruder SSH key and crontab

  1. #1
    Join Date
    Sep 2005
    Beans
    319

    git account infected with intruder SSH key and crontab

    I have the infection described here

    https://ubuntuforums.org/showthread.php?t=2395684


    My git crontab was set to this :

    1 1 */2 * * /home/git/.configrc/a/upd>/dev/null 2>&1
    @reboot /home/git/.configrc/a/upd>/dev/null 2>&1
    5 8 * * 0 /home/git/.configrc/b/sync>/dev/null 2>&1
    @reboot /home/git/.configrc/b/sync>/dev/null 2>&1
    0 0 */3 * * /tmp/.X25-unix/.rsync/c/aptitude>/dev/null 2>&1
    SSH access is by key only but somehow someone got in, set this crontab, and cleared the git authorized keys file to contain only their key.

    <keydata> mdrfckr
    I have set the firewall to deny SSH
    set a non-standard port
    cleared the crontab
    removed the /home/git/.configrc directory
    rebooted
    checked for /tmp/.X25-unix directory but did not find it.


    I am concerned that the infection is persistent on the gitserver or has infected one of the clients.

    It *looks* like the intruder did not acquire root access (git user has very limited privs on the server). None of the directories listed in the cron or in any of the files in the .configrc directory require root access, but still I am concerned.

    I understand that in the interest of absolute caution I should wipe the server. That would not be a big job/ I've already moved its BIND server to another host without difficulty. But I'd like to sleuth about a bit. I have time to do it

    What to do? Where to look?

  2. #2
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    20,240
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: git account infected with intruder SSH key and crontab

    Do what the other thread says.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •