crontab is overwritten all the time

Question

I have a new VPS with ubuntu 20.4 and I set up the crontab to run a .sh to make some database backup.
But after a few days the backup didn't run. So I went to the server to check and the crontab was changed. So I set up again my script and if I run a crontab -l I can see my configuration. But after a few minutes the configuration changes to something like this: * * * * * /etc/default/tjoy9mwlx or * * * * * /etc/apparmor.d/if3iil.
And if I run for example a cat /etc/apparmor.d/if3iil to look at the file, it looks like a binary file.

I don't know what is happening, also I did run a virus/malware scan with rkhunter and it looks like everything is ok.

Answer 1

I have two possible versions of what could possibly be the case.

One version is that there is malware that changes the cron to run a malicious process. It is very suspicious that a binary file is located in your /etc/apparmor.d/ directory as this directory is used to store the configuration files of apparmor, which are not in binary format. Note that in this case, the rkhunter could be unable to identify the malware due to it not having obvious malware characteristics(such as exact malware hash or suspicious string) that the rkhunter is looking for. In order to verify if this is the case, you need to reverse engineer the binaries and understand what they are doing or ask someone else to do it.

Second version is that the VPS has a spurious configuration that results in changes to your cron configuration. To check if this is the case, you can monitor the processes running during the time that cron has been changed and identify the source of the problem. Also, you can take a look at the application logs and find which app is responsible for the overwrite.

In case you want a more detailed answer please share more detailed information regarding your problem such as the contents of the binary files, monitoring results, app logs, etc.