[edit] Introduction

[edit] Alert Message

High Risk: Suspicious cron job for a web user was detected. This could be indicative of a compromised system.

[edit] Summary

This means that ASL has detected a cronjob owned by one of these users:

• apache
• nobody
• www-data

[edit] Details

[edit] Explanation

In shared hosting environments, it is extremely unusual to find a cronjob owned by one of these users:

• apache
• nobody
• www-data

In shared hosting environments users, when granted cronjob access, are limited to creating cronjobs as themselves and never as the users of daemons, such apache, or other services on the system. An attacker however may gain access to the user that those services run as, for example they may be able to become the "apache" user. When they gain access, its not unusual for them to setup processes to attempt to run regular commands on the systems, such as via cronjob.

In non-shared hosting environments this may not always be the case, but because these users are generally easily compromisable, because they are attached to publicly facing daemons that are commonly compromised, cronjobs owned by these users may indicate the system has been compromised.

[edit] Recommendations

In general, we recommend that you not grant cronjob access to the same users used to run daemons, such a nobody, apache, www-data, sshd, and others. We recommend you use a different user or users from your daemon users to run your cronjobs, and restrict cronjob access by these "publicly facing" users. This creates compartmentalization, thus ensuring that if an attacker were to gain access to the system through on of these "publicly facing" users that they would be limited in what they can do on the system. This principle of defense in depth is vital to protecting a modern system.

[edit] Notes

It is not possible to disable this check in ASL at this time.