Rogue cron job on crontab

[mbekezm]

Hello

I have an issue with a cronjob that seems to be the one thats keeps on hacking websites to send spam .

If i do the crontab -e it shows as below but i can't seem to be able to scroll down enough to delete it

any ideas hopw i can tackle this ?

i.imgur.com/UqsgSPx.png

 

[cPanelLauren]

That's not a cronjob, that's the file descriptor for crontab that's being held in tmp when you view/edit it that is present any time you view the crontab. For example:

0 6 * * * /usr/local/cpanel/scripts/exim_tidydb > /dev/null 2>&1
30 5 * * * /usr/local/cpanel/scripts/optimize_eximstats > /dev/null 2>&1
@reboot /usr/local/cpanel/bin/onboot_handler
8 0 * * * /usr/local/cpanel/whostmgr/docroot/cgi/cpaddons_report.pl --notify
17 5 * * * (/usr/local/cpanel/scripts/fix-cpanel-perl; /usr/local/cpanel/scripts/upcp --cron > /dev/null)
0 1 * * * /usr/local/cpanel/scripts/cpbackup
0 2 * * * /usr/local/cpanel/bin/backup
35 * * * * /usr/bin/test -x /usr/local/cpanel/bin/tail-check && /usr/local/cpanel/bin/tail-check
0 */2 * * * /usr/local/cpanel/scripts/shrink_modsec_ip_database -x 2>&1
5,20,35,50 * * * * /usr/local/cpanel/scripts/eximstats_spam_check 2>&1
45 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_mailman_cache && /usr/local/cpanel/scripts/update_mailman_cache
30 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_db_cache && /usr/local/cpanel/scripts/update_db_cache
25 */2 * * * /usr/local/cpanel/bin/mysqluserstore >/dev/null 2>&1
15 */2 * * * /usr/local/cpanel/bin/dbindex >/dev/null 2>&1
15 */6 * * * /usr/local/cpanel/scripts/autorepair recoverymgmt >/dev/null 2>&1
*/5 * * * * /usr/local/cpanel/scripts/dcpumon-wrapper >/dev/null 2>&1
14,29,44,59 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1
4 0 * * * /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
09,39 * * * * /usr/local/cpanel/scripts/clean_user_php_sessions > /dev/null 2>&1
~
~
"/tmp/crontab.Ucz2s6" 19L, 1439C

 

[mbekezm]

Thank you.

Is they a way i can find out the cPanel user who created the folder/file ?

Edit : I found the file but every time i delete it from tmp it comes back again using another name and the contents of the fiole are unreadable. This file changes name every now and then and i'm getting worried .

I just went through every account on the server cleaning up those that seemed to have funny looking cron jobs but this won't go away.

 

[cPanelLauren]

They won't go away, they're held in /tmp when being edited or updated by the system. Cron jobs do not appear to be the source of your issue from the information you've provided.