Hey Vele,
It seems the issue hasn’t been fully resolved yet. Yesterday around 18:40, the same problem reappeared. I’ve been monitoring the auth.log file and noticed that a cron job appears to be triggering some form of malicious activity.
Here’s an excerpt from the log file:
Apr 3 15:41:25 <host> systemd-logind[827]: New session 2 of user vbz.
Apr 3 15:45:01 <host> CRON[2732]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Apr 3 15:45:01 <host> sudo: root : PWD=/root ; USER=www-data ; COMMAND=/usr/bin/php8.0 -f /usr/local/lib/app/occ dav:send-event-reminders
Apr 3 15:45:01 <host> sudo: root : PWD=/root ; USER=www-data ; COMMAND=/usr/bin/php8.0 -f /usr/local/lib/app/cron.php
This pattern repeats frequently. The log suggests that PHP scripts are being triggered by root via cron and executed as the www-data user.
Additionally, I created a watcher script to monitor how often the sendmail method is invoked. Below is an excerpt showing repeated activity by the cron daemon:
2025-04-03 11:25:02 - User: root(0:0) - Host: <hostname> - TTY: not a tty
no-tty - PWD: /root - Parent: /usr/sbin/CRON - Args: -FCronDaemon -i -B8BITMIME -oem root
...
2025-04-03 13:50:02 - User: root(0:0) - Host: <hostname> - TTY: not a tty
no-tty - PWD: /root - Parent: /usr/sbin/CRON - Args: -FCronDaemon -i -B8BITMIME -oem root
This suggests that sendmail or a similar process is being run on a consistent schedule, potentially every 5 minutes, without any direct user interaction.