0

I don't know if this was an effect of the shellshock attack which my server was victim to (or another attack that worked) but it basically enabled the hacker to overwrite my SSH config file when the server rebooted.

This new file used wget to load in a file from a website, then another library of hack functions which I guessed he then used to run hacks/DOS from my server. I caught it pretty fast and ideally want to upgrade but because I have cancer and just had a big operation it is too much effort at the moment.

Therefore I did a lot of house keeping, changing passwords, removing shell access, reverting back to DASH, replacing the default shell for root and any other users to another folder with symbolic links, restoring the config file for SSH, removing CGI functionality from config files e.g

ScriptAlias /cgi-bin/ /home/searchmysite/cgi-bin/

#

allow from all

#

Removed AW stats and Webalizer for all virtual min sites.

I already had DenyHosts and Fail2Ban installed.

I also blocked in/outbound traffic to the IPs of the sites he was getting the files from.

However it seems since this change I have lost the visual cron manager from webmin.

When I go to the menu item "Scheduled Cron Jobs", it says, "The command crontab for managing user Cron configurations was not found. Maybe Cron is not installed on this system?"

However I can see in the file system it exists.

When I run crontab -l or crontab -e I get "Permission Denied"

whoami shows "root"

I did think at the time of the hack this was all related and he had used SSH and a Cron job to get his hack running.

What I want to know is how I can get the CronTab manager back.

All the cron jobs are still running such as importing feeds into my websites, running scheduled emails and so on, what I don't know is how to resolve this without a full rebuild.

If I had the time and energy I would do that but I am totally drained and before this hack everything was just running smoothly and my websites which bring me in money were working fine.

They currently are still working fine and I regularly check my logs for IPs that look odd, have strong htacess rules for xss/sql/path travesal/file hacks and ban whole countries from Cloudflare which the site sits behind. So I don't "think" the machine is compromised at the moment even if it is old - could be wrong though!

details of box

Operating system Debian Linux 5.0 Virtualmin version 3.98.gpl GPL WebMin Version: 1.610 Kernel and CPU Linux 2.6.32.9-rscloud on x86_64

So if anyone can help me get my crontab manager back that would be great.

Thanks

MonkeyMagix
  • 677
  • 2
  • 10
  • 30

1 Answers1

1

1) check if chattr exists, if not, download a new one.

2) type whereis crontab, then chattr -isa /path/to/crontab.(usually /usr/bin/cron) then chmod crontab back to it original settings.

3) navigate to /var/spool/ and chattr -isa cron cd cron chattr -isa crontabs

4) remove cron entry in /etc/cron.weekly

Look in /etc/cron.weekly for any new

Chris Kessler
  • 51
  • 2
  • Hi, sorry mate for being a div but I'm a total Windows bod and not used to Linux at all - hence the need for a WebMin interface - can you tell me how to check for chattr / download a new one - I asked someone here who is supposed to be a Linux bod but they didn't know what chattr was. Thanks for your help. – MonkeyMagix Feb 05 '15 at 11:22