The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ERROR: You (nobody) are not allowed to use this program (crontab)

Discussion in 'General Discussion' started by BeNE.WS, Sep 8, 2005.

  1. BeNE.WS

    BeNE.WS Well-Known Member

    Joined:
    May 14, 2003
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Belgium
    Hello, every hour we receive an email from the server (Cron Daemon) that somebody is using a cronjob.

    How can we find out who is using this cronjob ?

    This is the email:

    SUBJECT:
    Cron <nobody@server1> echo -n -e "`crontab -l|grep '\#\ id\ '|head -n 1|sed s/\#\ id\ //`" >/tmp/.crontmp; /usr/bin/perl /tmp/.crontmp >/dev/null; rm /tmp/.crontmp >/dev/null # id

    MESSAGE:
    You (nobody) are not allowed to use this program (crontab)
    See crontab(1) for more information
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I would assume it means that someone has created a crontab under the user nobody. You can check for the file in /var/spoo/cron/nobody. If it is there, then you most likely have someone exploiting PHP script(s) on your server and you need to track it down and close the vulnerability. Typically they're exploited for sending out spam, IRC bots and launching DOS attacks, though they can just as easily be used to launch a root compromise attack, so you need to get the issue resolved immediately.
     
  3. BeNE.WS

    BeNE.WS Well-Known Member

    Joined:
    May 14, 2003
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Belgium
    Thanks for your help.

    The following is in that file:
    UW PICO(tm) 4.2 File: nobody

    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (/tmp/.v2yrddd9q7 installed on Sat Dec 11 06:01:00 2004)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (/tmp/.9igy6603eq installed on Sat Dec 11 05:01:01 2004)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (/tmp/.8tu4i0c4y11 installed on Sat Dec 11 04:01:00 2004)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    UW PICO(tm) 4.2 File: nobody

    .....

    Where can I find "THE MASTER" ?
     
Loading...

Share This Page