A tale of two crons or: How cron helped me spot an infection on a server

A few days earlier, while I was helping my friend administer his VPS, I noticed a suspicious entry in last command's output. To make sure nothing shady was running on the server, I ran ps aux to list all the processes running and started inspecting the output. By pure coincidence, I noticed that there were two cron daemons running, one with the name cron and one with the name crond. The VPS was running Ubuntu Server 14.04 and I knew from experience that the one with the name cron should be the one running by default. So why was there a process named crond running as well?


To find the source of the crond process, I started by running the which crond command, but surprisingly got no output. By this time, I was sure that this process was fishy. To find the directory from where this process was running, I ran pwdx with its pid. The output was:

<pid>: /tmp/ .

I immediately cd'ed to the /tmp/ directory.

Continue Reading...