image

Suspicious crontab entries

The database contains suspicious crontab entries.

We recommend having a (potentially) malware-infected store checked by experienced developers or security companies.

Details:

Since 2021, it has become increasingly common for malware not only to be stored in the file system, but also to be hidden within the crontab. The crontab is the system's internal list of all cron jobs, i.e. the processes that are regularly executed in the background. In this way, the malware tries to escape common scanners and human control, because often only the file system is checked. The malicious code itself is not necessarily immediately recognizable in the Crontab, because obfuscation tactics are used. Further details on Crontab malware are also available from our partner Sansec.

If corresponding entries were found in your cluster, the probability that there is more malware in your cluster is very high. We therefore recommend that in any case all applications and databases on the cluster are fully scanned.

Malware cronjobs usually ensure that there is always a malware process running in the cluster. Therefore, all running processes should also be checked.

Solution: Checking the crontab

You can edit the contents of the crontab in an ssh console using the crontab -e command.

In addition, the Managed Center of the cluster shows you all active cronjobs under "Cronjobs".

Cronjobs that were not created by you should be deleted in any case. If you are unsure, deactivate a suspicious cronjob and then involve your agency or our support if necessary.

Additionally, it is recommended to check the running processes of the cluster - the cronjob may have started a process during its last execution, which should also be terminated.

Further recommendations for action

Please also check our general malware recommendations.

Do you need assistance?

favicon
maxcluster GmbH
24 / 7 Customer support
Telephone:
+49 5251 414130
E-Mail:
support@maxcluster.de
logo

Do you need assistance?

maxcluster GmbH
24 / 7 Customer support
Telephone:
+49 5251 414130
E-Mail:
support@maxcluster.de
image
image