ERROR: You (nobody) are not allowed to use this program (crontab)

BeNE.WS

Well-Known Member
May 14, 2003
49
0
156
Belgium
Hello, every hour we receive an email from the server (Cron Daemon) that somebody is using a cronjob.

How can we find out who is using this cronjob ?

This is the email:

SUBJECT:
Cron <[email protected]> echo -n -e "`crontab -l|grep '\#\ id\ '|head -n 1|sed s/\#\ id\ //`" >/tmp/.crontmp; /usr/bin/perl /tmp/.crontmp >/dev/null; rm /tmp/.crontmp >/dev/null # id

MESSAGE:
You (nobody) are not allowed to use this program (crontab)
See crontab(1) for more information
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
I would assume it means that someone has created a crontab under the user nobody. You can check for the file in /var/spoo/cron/nobody. If it is there, then you most likely have someone exploiting PHP script(s) on your server and you need to track it down and close the vulnerability. Typically they're exploited for sending out spam, IRC bots and launching DOS attacks, though they can just as easily be used to launch a root compromise attack, so you need to get the issue resolved immediately.
 

BeNE.WS

Well-Known Member
May 14, 2003
49
0
156
Belgium
chirpy said:
I would assume it means that someone has created a crontab under the user nobody. You can check for the file in /var/spool/cron/nobody. If it is there, then you most likely have someone exploiting PHP script(s) on your server and you need to track it down and close the vulnerability. Typically they're exploited for sending out spam, IRC bots and launching DOS attacks, though they can just as easily be used to launch a root compromise attack, so you need to get the issue resolved immediately.
Thanks for your help.

The following is in that file:
UW PICO(tm) 4.2 File: nobody

# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/.v2yrddd9q7 installed on Sat Dec 11 06:01:00 2004)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/.9igy6603eq installed on Sat Dec 11 05:01:01 2004)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/.8tu4i0c4y11 installed on Sat Dec 11 04:01:00 2004)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# DO NOT EDIT THIS FILE - edit the master and reinstall.
UW PICO(tm) 4.2 File: nobody

.....

Where can I find "THE MASTER" ?