Page 1 of 1

crontab

PostPosted: Wed May 05, 2021 10:44 pm
by Zaraab
I dont know whats wrong because I have inputted the standard cronjobs in the crontab. But seems like after one or two days, my crontab shows to be empty.


The crontab shows like below
* * * * * /tmp/ast
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
"/tmp/crontab.EeReUx" 1L, 19C


And also my cpu load in admin panel of vicidial shows something like 400-100%
What might be wrong please?

Re: crontab

PostPosted: Thu May 06, 2021 4:00 pm
by GenXOutsourcing
You have been HACKED........

A client came to me with the same, their load was very high and the dialer was not working.

There are files all over the place, the /tmp/ast and the /root/.ssh/authorized_keys and even an /etc/initd

Took about 3hrs to find all of it.

Re: crontab

PostPosted: Fri May 07, 2021 12:21 am
by Zaraab
So vicidial is subjected to a hack? :o

and what did you find after 3hrs?

Re: crontab

PostPosted: Fri May 07, 2021 6:55 am
by mflorell
Just about any Internet-facing server can get hacked, and there is no 100% safe way to recover a server from a hack like that other than completely wiping the server and installing everything over again.

The best way to make sure the server is not hacked again is to: use long passwords, implement a strict firewall and keep the software on the server updated.

Re: crontab

PostPosted: Fri May 07, 2021 10:47 am
by GenXOutsourcing
Zaraab wrote:So vicidial is subjected to a hack? :o

and what did you find after 3hrs?


It is/was crypto mining.

But as Matt said, the ONLY way to be 100% sure, is to reinstall.

What I did was an emergency for the client, and I am waiting for them to decide when I can reinstall their system. Yes, its working......... is it clean and secure........ i doubt it.

Re: crontab

PostPosted: Fri May 07, 2021 11:17 am
by carpenox
check out my blog for securing your vicidial server the.cyburhacker.com

Re: crontab

PostPosted: Wed May 12, 2021 6:06 am
by Zaraab
mflorell wrote:Just about any Internet-facing server can get hacked, and there is no 100% safe way to recover a server from a hack like that other than completely wiping the server and installing everything over again.

The best way to make sure the server is not hacked again is to: use long passwords, implement a strict firewall and keep the software on the server updated.



hey Mat thank you so much for a headsup!

So basically the server is in oracle cloud and oracle cloud has highly restricted way to SSH access or connect to their servers. Its strictly bound to their VCNI and ssh key matches.

Is there something like a backdoor through which my server has been hacked as because I scratch installed it?

Re: crontab

PostPosted: Wed May 12, 2021 6:29 am
by mflorell
I have no idea, I'm not familiar with the Oracle cloud at all, and we only use OpenSuSE, so any other distro would have other vulnerabilities that I'm not familiar with.