I have two rather new RH7.3 servers, which I installed without any patches
(dumb- had never installed patches before).
A couple of weeks ago both got infected with [different] strains of the
Cinik (mod_ssl) worm.
On machine "A" I shut down Apache for about a week, and left "B" running.
On 10/5/02 I downloaded and installed RH patches for apache, bind, glibc,
openssh, openssl, php and mod_ssl on both machines. I deleted the cinik
stuff from /tmp.
Machine "B" has been worm-free since. Cinik reappeared on machine "A"
overnight last night -- process running and the usual suspect files back in
/tmp.
I happened to look in /var/log/cron (on the subject of cron I am rather
clueless) and saw the following suspicious entries in the time frame when I
believe the worm reappeared:
Oct 13 05:20:00 archive3 CROND[25572]: (root) CMD (/usr/bin/mrtg
/etc/mrtg/mrtg.cfg)
Oct 13 05:20:00 archive3 CROND[25573]: (root) CMD (/usr/lib/sa/sa1 1 1)
Oct 13 05:25:00 archive3 CROND[25577]: (root) CMD (/usr/bin/mrtg
/etc/mrtg/mrtg.cfg)
Oct 13 05:26:34 archive3 crontab[25622]: (apache) REPLACE (apache)
Oct 13 05:27:00 archive3 crond[858]: (apache) RELOAD (cron/apache)
Oct 13 05:27:29 archive3 crontab[25630]: (apache) REPLACE (apache)
Oct 13 05:27:29 archive3 crontab[25635]: (apache) REPLACE (apache)
Oct 13 05:27:29 archive3 crontab[25640]: (apache) REPLACE (apache)
Oct 13 05:27:29 archive3 crontab[25645]: (apache) REPLACE (apache)
Oct 13 05:28:01 archive3 crond[858]: (apache) RELOAD (cron/apache)
Oct 13 05:30:00 archive3 CROND[25666]: (root) CMD (/usr/bin/mrtg
/etc/mrtg/mrtg.cfg)
Oct 13 05:30:00 archive3 CROND[25667]: (root) CMD (/usr/lib/sa/sa1 1 1)
Oct 13 05:35:00 archive3 CROND[25670]: (root) CMD (/usr/bin/mrtg
/etc/mrtg/mrtg.cfg)
Any suggestions as to what the log entries mean (i.e. who did what to
Apache?), and why cinik has reappeared?
Also, can someone point me towards a resource about cron so that I may
become less clueless?
Thanks,
Dick
