The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

bad cronjob

Discussion in 'General Discussion' started by Secret Agent, Oct 10, 2004.

  1. Secret Agent

    Secret Agent Guest

    I believe there is a bad cronjob on my server but how do I search server wide via ssh for the crobjob? I know it affects the server entirely (down) around 2am every sunday morning. Where can I find this?
     
  2. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    From the prompt try "crontab -e". Cron job files are in /var/spool/cron
     
  3. sjackson909

    sjackson909 Well-Known Member

    Joined:
    Jun 8, 2004
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Columbus, OH
    /var/cron/tabs for FreeBSD and other BSD systems.

    Thanks
    -Seth
     
  4. Secret Agent

    Secret Agent Guest

    Now I have this major problem (reason why I am checking cronbjobs). I am getting tons of emails regarding some eggdrop of some sort. I am not sure why because that is disabled (or should I say prevented) in WHM (checked) as running processes.

    I ran cronbtab -e again and got this:


    2,58 * * * * /usr/local/bandmin/bandmin
    0 0 * * * /usr/local/bandmin/ipaddrmap
    15 2 * * * /scripts/upcp
    */15 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1
    */5 * * * * /usr/local/cpanel/bin/dcpumon >/dev/null 2>&1
    0 6 * * * /scripts/exim_tidydb > /dev/null 2>&1


    /etc/cronbtab shows this:


    SHELL=/bin/bash
    PATH=/sbin:/bin:/usr/sbin:/usr/bin
    MAILTO=root
    HOME=/

    # run-parts
    01 * * * * root run-parts /etc/cron.hourly
    02 4 * * * root run-parts /etc/cron.daily
    22 4 * * 0 root run-parts /etc/cron.weekly
    42 4 1 * * root run-parts /etc/cron.monthly

    How do I track this bad crobjob doewn exactly?
     
  5. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    ON, Canada
    Users cron jobs are in /var/spool/cron. You may want to look at the files in there.
     
  6. Secret Agent

    Secret Agent Guest

    This is all I see in that directory:

    (null) cadenza
    (null) gvllweb
    (null) kelzclub
    (null) mailman
    (null) nibuhaho
    (null) nobody
    (null) outsider
    (null) pewter
    (null) root
    (null) terri
    (null) webhost


    What would I do now? (thanks in advance)
     
  7. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    ON, Canada
    You can look at each users cron job settings with:
    view /var/spool/cron/username

    exit with
    :q<enter>
     
  8. Secret Agent

    Secret Agent Guest

    Ok I got this:

    gvllweb
    --------

    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (/home/gvllweb/.crontab installed on Mon Apr 19 00:06:17 2004)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    0 * * * * http://domain.com/modules/MS_Analysis/include/cronmaintenance.php

    cadenza
    ---------
    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (/home/cadenza/.crontab installed on Wed Mar 3 22:52:11 2004)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    MAILTO="cadenza"

    mailman
    ---------
    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (/usr/local/cpanel/src/3rdparty/gpl/mailman-2.1.5/cron/crontab.in installed on Sun Oct 10 18:54:09 2004)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    MAILTO=postmaster
    # At 8AM every day, mail reminders to admins as to pending requests.
    # They are less likely to ignore these reminders if they're mailed
    # early in the morning, but of course, this is local time... ;)
    0 8 * * * /usr/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/checkdbs
    #
    # At 9AM, send notifications to disabled members that are due to be
    # reminded to re-enable their accounts.
    0 9 * * * /usr/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/disabled
    #
    # Noon, mail digests for lists that do periodic as well as threshhold delivery.
    0 12 * * * /usr/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/senddigests
    #
    # 5 AM on the first of each month, mail out password reminders.
    0 5 1 * * /usr/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/mailpasswds
    #
    # Every 5 mins, try to gate news to mail. You can comment this one out
    # if you don't want to allow gating, or don't have any going on right now,
    # or want to exclusively use a callback strategy instead of polling.
    #0,5,10,15,20,25,30,35,40,45,50,55 * * * * /usr/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/gate_news
    #
    # At 3:27am every night, regenerate the gzip'd archive file. Only
    # turn this on if the internal archiver is used and
    # GZIP_ARCHIVE_TXT_FILES is false in mm_cfg.py
    27 3 * * * /usr/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/nightly_gzip

    nibuhaho
    ----------
    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (/home/nibuhaho/.crontab installed on Sat Aug 14 00:54:37 2004)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    MAILTO="nibuhaho"
    0 0 * * * /home/nibuhaho/public_html/perlbill/include/auto_cron.cgi

    nobody
    ---------

    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (/usr/local/flash/psfonts/.dat//.autobotchk installed on Sat Sep 18 17:11:11 2004)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (/usr/local/flash/psfonts/.dat//.autobotchk installed on Sat Sep 18 17:11:11 2004)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (/usr/local/flash/psfonts/.dat//.autobotchk installed on Sat Sep 18 17:11:11 2004)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (cron.d installed on Sat Sep 18 17:04:05 2004)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    * * * * * /home/gvllweb/public_html/images/language/.psy/y2kupdate >/dev/null 2>&1
    0,10,20,30,40,50 * * * * /usr/local/flash/psfonts/.dat//Fandy.botchk
    0,10,20,30,40,50 * * * * /usr/local/flash/psfonts/.dat//psfonts.botchk
    0,10,20,30,40,50 * * * * /usr/local/flash/psfonts/.dat//D00r.botchk

    root
    -----
    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (/scripts/.crontab installed on Sun Oct 10 20:34:03 2004)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)

    2,58 * * * * /usr/local/bandmin/bandmin
    0 0 * * * /usr/local/bandmin/ipaddrmap
    15 2 * * * /scripts/upcp
    */15 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1
    0 6 * * * /scripts/exim_tidydb > /dev/null 2>&1
    */5 * * * * /usr/local/cpanel/bin/dcpumon >/dev/null 2>&1

    terri
    -----
    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (/home/terri/.crontab installed on Fri Mar 19 08:38:43 2004)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    MAILTO=""
    */30 * * * * wget -q -O /dev/null http://domain.com/cal/tools/send_reminders.php

    webhost
    ---------
    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (/home/webhost/.crontab installed on Wed Sep 22 12:27:42 2004)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    MAILTO="doug@webhost-galaxy.com"
    0 * * * * GET http://www.domain.com/whoiscart/collector.php >/dev/null
    0 3 7 * * GET http://www.domain.com/whoiscart/collector.php


    What is normal and what should not be there?
     
  9. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    ON, Canada
    Doesn't appear to be a users cron job doing it since none of them are scheduled for only Sunday.

    Your /etc/cron.weekly runs at 4:22am on Sunday. Any chance that's when you have problems? Server could be in a different time zone than you, so the hour might be off.

    What's in your /etc/cron.weekly directory?
     
  10. Secret Agent

    Secret Agent Guest

    That's empty like I mentioned before.

    Strange case.
     
  11. Secret Agent

    Secret Agent Guest

    All are empty...

    hourly
    daily
    weekly
    monthly
     
  12. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    Those look really, really suspicious to me... they're under 'nobody' instead of a username... and the first one especially (why isn't that script running under the gvllweb user?)... so they could have been installed through an apache exploit or a script with a security hole. Check the file content to see just what they are running. I suspect you have some bots running...
     
  13. Secret Agent

    Secret Agent Guest

    Well that user has a small town kiddy baseball team photo site. I know its not him doing anything. Second, I deleted the root and nobody cronjob files.

    I will see what happens.

    rootkit hunter gave all "ok" results
     
  14. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Would agree with deleting the nobody cron job file but the root cron is what allows the daily cpanel update among other things.
     
  15. Secret Agent

    Secret Agent Guest

    Yea I want the daily cpanel update off anyway. It ruins Fantastico (not so fantastic after all lol)
     
  16. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Might consider letting the root cron run and setting the WHM update option to manual updates only. Of course we only run the stable versions which likely puts us in the minority.
     
  17. dezignguy

    dezignguy Well-Known Member

    Joined:
    Sep 26, 2004
    Messages:
    534
    Likes Received:
    0
    Trophy Points:
    16
    You're totally missing the point...

    read this again:

    I'll spell it out: It doesn't have to be your user running a script... if a script is running as 'nobody' there's a good chance it was 'installed' through a hole in apache (since it runs as the user 'nobody') or from a script with security problems (since apache/perl/php would have run the script and they're usually run under nobody - depends on if you're using suexec/phpsuexec - and so files created by them would be under the user 'nobody'). Cpanel would put the cronjobs that a user added themselves under their username, not nobody.

    Well, it's good you deleted the nobody cron jobs, (but not the root, I didn't see anything obviously suspicious about that - looked like the usual cpanel stuff, if you had a problem in the root cronjob then your server would be 0wn3d and you'd have much bigger problems), but you really should delete those files (after looking at them to find out what they really do) and then find out how they got in there, find out what insecure script needs to be patched or removed from your server. Otherwise, you're just asking for it to happen again, and maybe next time it'll be much worse... trashing all your data and requiring you to have an OS reload done, accompanied by much downtime.


    rkhunter is not an end all, fix all... it's only looking for some specific hack tools. Since it only takes a few lines of code to do some bad things on your server, and since it doesn't take long to write this code and it can be written in a number of different ways, then it's very hard to have a tool that can find and recognize every bad thing as 'bad'.

    From the names of those suspicious files, I'd guess you might have some sort of eggdrop or psybounce or something similar running on your server... couldn't guess at why it takes down the server at 2am on sundays though.

    What are these emails you're getting?
     
Loading...

Share This Page