A program is running automatically at regular intervals from cron, the time- based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.
First lets look at what we have in /etc/cron.d/
bandit21@melinda:~$ ls /etc/cron.d/
behemoth4_cleanup
leviathan5_cleanup
natas25_cleanup~ semtex0−ppc
cron−apt
manpage3_resetpw_job natas26_cleanup semtex5
cronjob_bandit22
melinda−stats
natas27_cleanup sysstat
cronjob_bandit23
natas−session−toucher php5
vortex0
cronjob_bandit24
natas−stats
semtex0−32
vortex20
cronjob_bandit24_root natas25_cleanup
semtex0−64
All right, we can see that we have a file named cronjob_bandit22, so this is probably what we are looking for, lets look at its contents:
bandit21@melinda:~$ cat /etc/cron.d/cronjob_bandit22
∗ ∗ ∗ ∗ ∗ bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
Apparently the cron job uses a script in /usr/bin/cronjob_bandit22.sh
lets take a look at its contents:
bandit21@melinda:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
The script modifies the t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
file’s
rights and then copy the bandit22 password inside of it !
bandit21@melinda:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI