Hi there
I just had my crontab for my main non-root user replaced with something that is installed a miner on my server. I saw there were 2 HTTP post commands in my nginx logs at the exact same time that the syslog showed the crontab being replaced. Nothing in my ssh logs either to show entry into my server
I found this exploit online, so curious if this was this has been fixed? I'm leaning towards this was the point of entry. I disabled port 80 from the outside, reset my passwords and ran rootkit scanners and found nothing so hopefully i mitigated it. I have a website on 443 but nothing happened with that from what i can see in the logs.
Using OMV 3.0.96
https://www.cvedetails.com/cve/cve-2013-3632 - The Cron service in rpc.php in OpenMediaVault allows remote authenticated users to execute cron jobs as arbitrary users and execute arbitrary commands via the username parameter.
Cheers!