Could someone tell me what this is please.

leftie

Well-Known Member
Jan 20, 2007
69
0
156
Hi, i've just started to get emails saying a cron has started and all i get in the mail is this

/usr/local/lp/apps/tzcheck.sh: no such file found.

Can someone explain what it is please.
 

Todd Mitchell

Well-Known Member
Staff member
Nov 13, 2006
301
1
243
Houston, TX
From my experience this is a malicious script that has been added to cron in order to restart at different times.

I recommend looking at the file to see what it's doing, as this is most likely some type of remote shell script.
 

leftie

Well-Known Member
Jan 20, 2007
69
0
156
This is all that is in it. What does it mean??

Code:
#/bin/sh

/usr/sbin/zdump -v EST5EDT | /bin/grep 2007 > /usr/local/lp/var/zdump-EST5EDT
/usr/sbin/zdump -v /etc/localtime | /bin/grep 2007 > /usr/local/lp/var/zdump-localtime
/usr/sbin/zdump -v /usr/share/zoneinfo/America/Indianapolis  | grep 2007 > /usr/local/lp/var/zdump-Indianapolis
 

Todd Mitchell

Well-Known Member
Staff member
Nov 13, 2006
301
1
243
Houston, TX
Appears to be doing some checks on the timezone. No reason to be worried about hat script. It doesn't appear to be doing anything harmful.
 

[email protected]

Well-Known Member
Jul 9, 2005
78
0
156
Belgium
hi,

you can use something like this for naughty cron stuff

Code:
#!/bin/sh
myemail=$1
if [ -n "$myemail" ] ; then
        mycrontmp=/root/cron.tmp.$$
        # get current user list
        for i in `cat /etc/passwd | cut -f1 -d ':' | grep -v '#'`; do
                echo "--------------------------------------------------"
                echo "Username: ${i}"
                echo "--------------------------------------------------"
                crontab -u ${i} -l 2>&1
                echo "--------------------------------------------------"
        done > $mycrontmp
        cat $mycrontmp | mail -s "crontab report for `hostname`" ${myemail}
        rm -f $mycrontmp
else
        echo "Please supply a valid email address to get the report."
        exit
fi
chmod 755 scriptname.sh
usage ./scriptname.sh [email protected]

it will show you the cronjobs from all accounts on the server so you can do something if you find anything naughty
 

leftie

Well-Known Member
Jan 20, 2007
69
0
156
Thanks, do i just run that from ssh and the add the bits at the bottom of the page as well(email edited).