bad cronjob

[Secret Agent]

I believe there is a bad cronjob on my server but how do I search server wide via ssh for the crobjob? I know it affects the server entirely (down) around 2am every sunday morning. Where can I find this?

[sawbuck]

From the prompt try "crontab -e". Cron job files are in /var/spool/cron

[Secret Agent]

Thank you.

[sjackson909]

/var/cron/tabs for FreeBSD and other BSD systems.

Thanks
-Seth

[Secret Agent]

Now I have this major problem (reason why I am checking cronbjobs). I am getting tons of emails regarding some eggdrop of some sort. I am not sure why because that is disabled (or should I say prevented) in WHM (checked) as running processes.

I ran cronbtab -e again and got this:


2,58 * * * * /usr/local/bandmin/bandmin
0 0 * * * /usr/local/bandmin/ipaddrmap
15 2 * * * /scripts/upcp
*/15 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1
*/5 * * * * /usr/local/cpanel/bin/dcpumon >/dev/null 2>&1
0 6 * * * /scripts/exim_tidydb > /dev/null 2>&1


/etc/cronbtab shows this:


SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/

# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly

How do I track this bad crobjob doewn exactly?

[PWSowner]

Users cron jobs are in /var/spool/cron. You may want to look at the files in there.

[Secret Agent]

This is all I see in that directory:

(null) cadenza
(null) gvllweb
(null) kelzclub
(null) mailman
(null) nibuhaho
(null) nobody
(null) outsider
(null) pewter
(null) root
(null) terri
(null) webhost


What would I do now? (thanks in advance)

[PWSowner]

You can look at each users cron job settings with:
view /var/spool/cron/username

exit with
:q<enter>

[Secret Agent]

Ok I got this:

gvllweb
--------

# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/home/gvllweb/.crontab installed on Mon Apr 19 00:06:17 2004)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
0 * * * * http://domain.com/modules/MS_Analysi...aintenance.php

cadenza
---------
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/home/cadenza/.crontab installed on Wed Mar 3 22:52:11 2004)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
MAILTO="cadenza"

mailman
---------
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/usr/local/cpanel/src/3rdparty/gpl/mailman-2.1.5/cron/crontab.in installed on Sun Oct 10 18:54:09 2004)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
MAILTO=postmaster
# At 8AM every day, mail reminders to admins as to pending requests.
# They are less likely to ignore these reminders if they're mailed
# early in the morning, but of course, this is local time...
0 8 * * * /usr/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/checkdbs
#
# At 9AM, send notifications to disabled members that are due to be
# reminded to re-enable their accounts.
0 9 * * * /usr/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/disabled
#
# Noon, mail digests for lists that do periodic as well as threshhold delivery.
0 12 * * * /usr/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/senddigests
#
# 5 AM on the first of each month, mail out password reminders.
0 5 1 * * /usr/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/mailpasswds
#
# Every 5 mins, try to gate news to mail. You can comment this one out
# if you don't want to allow gating, or don't have any going on right now,
# or want to exclusively use a callback strategy instead of polling.
#0,5,10,15,20,25,30,35,40,45,50,55 * * * * /usr/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/gate_news
#
# At 3:27am every night, regenerate the gzip'd archive file. Only
# turn this on if the internal archiver is used and
# GZIP_ARCHIVE_TXT_FILES is false in mm_cfg.py
27 3 * * * /usr/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/nightly_gzip

nibuhaho
----------
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/home/nibuhaho/.crontab installed on Sat Aug 14 00:54:37 2004)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
MAILTO="nibuhaho"
0 0 * * * /home/nibuhaho/public_html/perlbill/include/auto_cron.cgi

nobody
---------

# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/usr/local/flash/psfonts/.dat//.autobotchk installed on Sat Sep 18 17:11:11 2004)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/usr/local/flash/psfonts/.dat//.autobotchk installed on Sat Sep 18 17:11:11 2004)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/usr/local/flash/psfonts/.dat//.autobotchk installed on Sat Sep 18 17:11:11 2004)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (cron.d installed on Sat Sep 18 17:04:05 2004)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
* * * * * /home/gvllweb/public_html/images/language/.psy/y2kupdate >/dev/null 2>&1
0,10,20,30,40,50 * * * * /usr/local/flash/psfonts/.dat//Fandy.botchk
0,10,20,30,40,50 * * * * /usr/local/flash/psfonts/.dat//psfonts.botchk
0,10,20,30,40,50 * * * * /usr/local/flash/psfonts/.dat//D00r.botchk

root
-----
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/scripts/.crontab installed on Sun Oct 10 20:34:03 2004)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)

2,58 * * * * /usr/local/bandmin/bandmin
0 0 * * * /usr/local/bandmin/ipaddrmap
15 2 * * * /scripts/upcp
*/15 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1
0 6 * * * /scripts/exim_tidydb > /dev/null 2>&1
*/5 * * * * /usr/local/cpanel/bin/dcpumon >/dev/null 2>&1

terri
-----
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/home/terri/.crontab installed on Fri Mar 19 08:38:43 2004)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
MAILTO=""
*/30 * * * * wget -q -O /dev/null http://domain.com/cal/tools/send_reminders.php

webhost
---------
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/home/webhost/.crontab installed on Wed Sep 22 12:27:42 2004)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
MAILTO="doug@webhost-galaxy.com"
0 * * * * GET http://www.domain.com/whoiscart/collector.php >/dev/null
0 3 7 * * GET http://www.domain.com/whoiscart/collector.php


What is normal and what should not be there?

[PWSowner]

Doesn't appear to be a users cron job doing it since none of them are scheduled for only Sunday.

Your /etc/cron.weekly runs at 4:22am on Sunday. Any chance that's when you have problems? Server could be in a different time zone than you, so the hour might be off.

What's in your /etc/cron.weekly directory?

[Secret Agent]

That's empty like I mentioned before.

Strange case.

[Secret Agent]

All are empty...

hourly
daily
weekly
monthly

[dezignguy]

* * * * * /home/gvllweb/public_html/images/language/.psy/y2kupdate >/dev/null 2>&1
0,10,20,30,40,50 * * * * /usr/local/flash/psfonts/.dat//Fandy.botchk
0,10,20,30,40,50 * * * * /usr/local/flash/psfonts/.dat//psfonts.botchk
0,10,20,30,40,50 * * * * /usr/local/flash/psfonts/.dat//D00r.botchk

Those look really, really suspicious to me... they're under 'nobody' instead of a username... and the first one especially (why isn't that script running under the gvllweb user?)... so they could have been installed through an apache exploit or a script with a security hole. Check the file content to see just what they are running. I suspect you have some bots running...

[Secret Agent]

Well that user has a small town kiddy baseball team photo site. I know its not him doing anything. Second, I deleted the root and nobody cronjob files.

I will see what happens.

rootkit hunter gave all "ok" results

[sawbuck]

Would agree with deleting the nobody cron job file but the root cron is what allows the daily cpanel update among other things.