gallent

Registered
Sep 12, 2006
1
0
151
Is there a way to find bloody crons? Specifically one that are running every minute! Im getting hammered by some jobs that were trying to change permissions on an account, it runs everyminute, i deleted the path where it was trying to edit, i just cant find the source!

Code:
1GQrpV-0005cn-4w-H
root 0 0
<[email protected]>
1158957661 0
-ident root
-received_protocol local
-body_linecount 2
-auth_id root
-auth_sender [email protected]
-allow_unqualified_recipient
-allow_unqualified_sender
-deliver_firsttime
-local
XX
1
[email protected]

158P Received: from root by site.mydomain.com with local (Exim 4.52)
	id 1GQrpV-0005cn-4w
	for [email protected]; Sat, 23 Sep 2006 06:41:01 +1000
025* From: root (Cron Daemon)
049F From: [email protected] (Cron Daemon)
009* To: root
033T To: [email protected]
099  Subject: Cron <[email protected]>   [B]chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f[/B] /etc/cron.d/core
028  X-Cron-Env: <SHELL=/bin/sh>
049  X-Cron-Env: <PATH=/usr/bin:/usr/sbin:/sbin:/bin>
025  X-Cron-Env: <HOME=/root>
027  X-Cron-Env: <LOGNAME=root>
024  X-Cron-Env: <USER=root>
056I Message-Id: <[email protected]>
038  Date: Sat, 23 Sep 2006 06:41:01 +1000

---

1GQrpV-0005cn-4w-D
chown: cannot access `/tmp/pwned': No such file or directory
chmod: cannot access `/tmp/pwned': No such file or directory
If that helps or makes any sense.... i get 1 of those emails in my queue every 30sec-1min. By the end of the day i delete thousands of them. >.< only because it doesnt go anywhere obvously. But a job is still running and i need to find out where it is some how. Any ideas? Thanks in advanced
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,465
30
473
Go on, have a guess
If you edit the crontab files in /var/spool/cron/ you should either use:

crontab -e -u username

Or restart crond after editing the spool file manually (using the crontab command is probably best).
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,136
1
168
New York
gallent said:
Code:
1GQrpV-0005cn-4w-H
root 0 0
<[email protected]>
1158957661 0
-ident root
-received_protocol local
-body_linecount 2
-auth_id root
-auth_sender [email protected]
-allow_unqualified_recipient
-allow_unqualified_sender
-deliver_firsttime
-local
XX
1
[email protected]

158P Received: from root by site.mydomain.com with local (Exim 4.52)
	id 1GQrpV-0005cn-4w
	for [email protected]; Sat, 23 Sep 2006 06:41:01 +1000
025* From: root (Cron Daemon)
049F From: [email protected] (Cron Daemon)
009* To: root
033T To: [email protected]
099  Subject: Cron <[email protected]>   [B]chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f[/B] /etc/cron.d/core
028  X-Cron-Env: <SHELL=/bin/sh>
049  X-Cron-Env: <PATH=/usr/bin:/usr/sbin:/sbin:/bin>
025  X-Cron-Env: <HOME=/root>
027  X-Cron-Env: <LOGNAME=root>
024  X-Cron-Env: <USER=root>
056I Message-Id: <[email protected]>
038  Date: Sat, 23 Sep 2006 06:41:01 +1000

---

1GQrpV-0005cn-4w-D
chown: cannot access `/tmp/pwned': No such file or directory
chmod: cannot access `/tmp/pwned': No such file or directory
Just FYI - that is a local root exploit on your machine
 
Last edited: