Linux · Recovery Guide

How to Remove Malicious Cron Jobs and systemd Services on Linux

Learn how to identify and safely remove malicious scheduled tasks and services from your Linux system, restoring its integrity and security.

Identify Suspicious Cron Jobs

Cron jobs are scheduled commands that run automatically at specified intervals. Malicious actors often use these to maintain persistence. Here's how to check for unusual entries.

1. Examine your user-specific cron jobs using crontab -l. Look for unfamiliar scripts or commands.
2. Inspect system-wide cron jobs in /etc/crontab and /etc/cron.d/. Pay attention to any recently modified files.
3. Review the contents of /etc/cron.hourly/, /etc/cron.daily/, /etc/cron.weekly/, and /etc/cron.monthly/ for suspicious scripts.
4. Check for cron jobs disguised as legitimate system tasks, often with random-looking filenames or unusual execution times.
5. Use a command like grep -r 'CRON' /var/log/syslog (or /var/log/messages on some systems) to review recent cron activity.

Identify Suspicious systemd Services

systemd manages system services on many modern Linux distributions. Malicious services can run continuously and hide their activities. Let's find them.

1. List all running services with systemctl list-units --type=service --state=running. Look for services with unusual names or descriptions.
2. Inspect all enabled services using systemctl list-unit-files --type=service --state=enabled. Cross-reference these with known legitimate services.
3. Examine the contents of service unit files for suspicious services. These are typically located in /etc/systemd/system/ and /usr/lib/systemd/system/.
4. Look for services that start custom scripts or executables from unusual directories (e.g., /tmp/ or hidden directories).
5. Check the timestamps of unit files in systemd directories for recent, unexpected modifications.

Safely Disable and Remove Malicious Cron Jobs

Once identified, malicious cron jobs need to be disabled and removed. We'll start with the least destructive steps.

1. For user cron jobs: Edit your crontab with crontab -e and either delete the suspicious line or comment it out by adding a # at the beginning.
2. For system-wide cron jobs: Edit the relevant file in /etc/crontab or /etc/cron.d/ using a text editor (e.g., sudo nano /etc/crontab). Delete or comment out the malicious entry.
3. For scripts in cron directories: Move suspicious scripts from /etc/cron.hourly/, /etc/cron.daily/, etc. to a quarantine directory (e.g., a new /tmp/quarantine/ directory) rather than deleting them immediately.
4. Verify that the rogue cron job is no longer active by checking system logs after the supposed execution time.

Safely Disable and Remove Malicious systemd Services

Removing malicious systemd services requires careful steps to prevent system issues. Follow these steps to disable and then remove them.

1. Stop the malicious service: Use sudo systemctl stop [service_name]. Replace [service_name] with the actual name of the service.
2. Disable the service: Prevent it from starting on boot with sudo systemctl disable [service_name].
3. Remove the service unit file: Delete the .service file from /etc/systemd/system/ or /usr/lib/systemd/system/ (e.g., sudo rm /etc/systemd/system/[service_name].service).
4. Reload systemd: After deleting a unit file, run sudo systemctl daemon-reload to make systemd aware of the changes.
5. Remove associated files: Delete any scripts or executables that the malicious service was configured to run. Check directories like /bin/, /usr/local/bin/, /opt/, or hidden directories in user home folders.
6. Verify the service is no longer present by attempting to start it or checking systemctl list-unit-files.