Today I realised that my home server ( ubuntu 16.04 x86 ) was compromised via ssh, and the attacker got root access.
He put followings on my root crontab:
root@d:~# crontab -l
5 8 * * 0 /root/.configrc/a/upd>/dev/null 2>&1
@reboot /root/.configrc/a/upd>/dev/null 2>&1
5 8 * * 0 /root/.configrc/b/sync>/dev/null 2>&1
@reboot /root/.configrc/b/sync>/dev/null 2>&1
0 0 */3 * * /tmp/.X25-unix/.rsync/c/aptitude>/dev/null 2>&1
root@d:~#
root@d:~# tree -C .configrc/
.configrc/
├── a
│ ├── a
│ ├── bash.pid
│ ├── dir.dir
│ ├── init0
│ ├── kswapd0
│ ├── run
│ ├── stop
│ └── upd
├── b
│ ├── a
│ ├── dir.dir
│ ├── run
│ ├── stop
│ └── sync
├── cron.d
└── dir2.dir
2 directories, 15 files
root@d:~#
Didn’t analyse yet, but looks like crontab runs above files, and add his ssh key to authorized_keys, and runs kswapd.
Please beware !!!