The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Finding crons?

Discussion in 'General Discussion' started by gallent, Sep 23, 2006.

  1. gallent

    gallent Registered

    Joined:
    Sep 12, 2006
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Is there a way to find bloody crons? Specifically one that are running every minute! Im getting hammered by some jobs that were trying to change permissions on an account, it runs everyminute, i deleted the path where it was trying to edit, i just cant find the source!

    Code:
    1GQrpV-0005cn-4w-H
    root 0 0
    <root@site.mydomain.com>
    1158957661 0
    -ident root
    -received_protocol local
    -body_linecount 2
    -auth_id root
    -auth_sender root@site.mydomain.com
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -deliver_firsttime
    -local
    XX
    1
    root@site.mydomain.com
    
    158P Received: from root by site.mydomain.com with local (Exim 4.52)
    	id 1GQrpV-0005cn-4w
    	for root@site.mydomain.com; Sat, 23 Sep 2006 06:41:01 +1000
    025* From: root (Cron Daemon)
    049F From: root@site.mydomain.com (Cron Daemon)
    009* To: root
    033T To: root@site.mydomain.com
    099  Subject: Cron <root@site>   [B]chown root /tmp/pwned; chmod 4755 /tmp/pwned; rm -f[/B] /etc/cron.d/core
    028  X-Cron-Env: <SHELL=/bin/sh>
    049  X-Cron-Env: <PATH=/usr/bin:/usr/sbin:/sbin:/bin>
    025  X-Cron-Env: <HOME=/root>
    027  X-Cron-Env: <LOGNAME=root>
    024  X-Cron-Env: <USER=root>
    056I Message-Id: <E1GQrpV-0005cn-4w@site.mydomain.com>
    038  Date: Sat, 23 Sep 2006 06:41:01 +1000
    
    ---
    
    1GQrpV-0005cn-4w-D
    chown: cannot access `/tmp/pwned': No such file or directory
    chmod: cannot access `/tmp/pwned': No such file or directory
    If that helps or makes any sense.... i get 1 of those emails in my queue every 30sec-1min. By the end of the day i delete thousands of them. >.< only because it doesnt go anywhere obvously. But a job is still running and i need to find out where it is some how. Any ideas? Thanks in advanced
     
  2. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    crontab -e

    /var/spool/cron

    only edit roots cron from crontab -e
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If you edit the crontab files in /var/spool/cron/ you should either use:

    crontab -e -u username

    Or restart crond after editing the spool file manually (using the crontab command is probably best).
     
  4. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Just FYI - that is a local root exploit on your machine
     
    #4 nyjimbo, Sep 24, 2006
    Last edited: Sep 24, 2006
Loading...

Share This Page