How to deal with malicious kcached processes

If you find something like below on your server, be sure you’ve detected malicious activity

username 2156075 0.0 0.0 2848 2660 ? Ss Feb09 0:00 [kcached]
username 2156076 0.0 0.0 2852 2660 ? S Feb09 0:01 \_ [kcached]

You can use the lsof command to determine which processes have the files open and whether they are being used for legitimate purposes.… Read the rest

Tune user’s crontab files

Сrontab adding MAILTO into user's files to prevent mail sending

cd /var/spool/cron && for i in `ls *[a-z]*`; do if ! grep "MAILTO" $i; then sed -i -e '1 s/^/MAILTO=""\n/;' $i; else echo "MAILTO is exist for $i"; fi; done

Remove not existent email address from user crontab to prevent bounces

sed -i -e 's/MAILTO\=.*/MAILTO\=""/g'
Read the rest