The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Could someone tell me what this is please.

Discussion in 'General Discussion' started by leftie, Sep 3, 2007.

  1. leftie

    leftie Well-Known Member

    Joined:
    Jan 20, 2007
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Hi, i've just started to get emails saying a cron has started and all i get in the mail is this

    /usr/local/lp/apps/tzcheck.sh: no such file found.

    Can someone explain what it is please.
     
  2. ToddShipway

    ToddShipway Well-Known Member

    Joined:
    Nov 13, 2006
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    From my experience this is a malicious script that has been added to cron in order to restart at different times.

    I recommend looking at the file to see what it's doing, as this is most likely some type of remote shell script.
     
  3. leftie

    leftie Well-Known Member

    Joined:
    Jan 20, 2007
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Thanks. I'll let you know the results.
     
  4. leftie

    leftie Well-Known Member

    Joined:
    Jan 20, 2007
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    This is all that is in it. What does it mean??

    Code:
    #/bin/sh
    
    /usr/sbin/zdump -v EST5EDT | /bin/grep 2007 > /usr/local/lp/var/zdump-EST5EDT
    /usr/sbin/zdump -v /etc/localtime | /bin/grep 2007 > /usr/local/lp/var/zdump-localtime
    /usr/sbin/zdump -v /usr/share/zoneinfo/America/Indianapolis  | grep 2007 > /usr/local/lp/var/zdump-Indianapolis
    
     
  5. leftie

    leftie Well-Known Member

    Joined:
    Jan 20, 2007
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for your help.:)
     
  6. ToddShipway

    ToddShipway Well-Known Member

    Joined:
    Nov 13, 2006
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    Appears to be doing some checks on the timezone. No reason to be worried about hat script. It doesn't appear to be doing anything harmful.
     
  7. erik@delphi

    erik@delphi Well-Known Member

    Joined:
    Jul 9, 2005
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Belgium
    hi,

    you can use something like this for naughty cron stuff

    Code:
    #!/bin/sh
    myemail=$1
    if [ -n "$myemail" ] ; then
            mycrontmp=/root/cron.tmp.$$
            # get current user list
            for i in `cat /etc/passwd | cut -f1 -d ':' | grep -v '#'`; do
                    echo "--------------------------------------------------"
                    echo "Username: ${i}"
                    echo "--------------------------------------------------"
                    crontab -u ${i} -l 2>&1
                    echo "--------------------------------------------------"
            done > $mycrontmp
            cat $mycrontmp | mail -s "crontab report for `hostname`" ${myemail}
            rm -f $mycrontmp
    else
            echo "Please supply a valid email address to get the report."
            exit
    fi
    
    chmod 755 scriptname.sh
    usage ./scriptname.sh you@mail.com

    it will show you the cronjobs from all accounts on the server so you can do something if you find anything naughty
     
  8. leftie

    leftie Well-Known Member

    Joined:
    Jan 20, 2007
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Thanks, do i just run that from ssh and the add the bits at the bottom of the page as well(email edited).
     
Loading...

Share This Page