Re: [tlug] Who is www-data, and why do they want my CPU?

["Evan Monroig" <evan.monroig@example.com>]

On Wed, Mar 19, 2008 at 9:48 PM, Dave M G <dave@example.com> wrote:
>  I ran the command as Evan said, and this time it came back with one
>  response:
>  $ sudo find / -type f -name www-data
>  /var/spool/cron/crontabs/www-data
>
>  I then wanted to check it out, but it wouldn't let me.
>
>  $ cd /var/spool/cron/crontabs/
>  bash: cd: /var/spool/cron/crontabs/: Permission denied
>
>  Even as root I can't seem to enter the directory.
>
>  I know crontab is probably some regularly schedule program, but I can't
>  see it if I type "crontab -e", so I don't know what it is.

It seems you found out !

So as you guessed crontab will regularly run some commands from you.
The file is named after www-data so it means that the commands that
are sheduled will be run as www-data.

If you type "crontab -e" it will edit your crontab, i.e. I assume the
file /var/spool/cron/crontabs/dave, so this is not what you want.

The most straightforward way to look at it while being root, by
running for example the command

sudo cat /var/spool/cron/contabs/www-data

If you want to go to the directory you would have to become root, e.g.
by running "sudo su -" and then "cd /var/spool/cron/crontabs/", etc.
Now one easy way to disable it is just to move the file to another
place and change ownership but make sure that you keep a copy so you
can refer to it to know what the attacker was doing with your machine
if effectively it has been pwned...

Hope this helps,

Evan