The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Where are users crontab's stored?

Discussion in 'General Discussion' started by BianchiDude, Jul 15, 2005.

  1. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    16
    How do I disable this?
    Jul 15 12:02:00 server1 CROND[32110]: (nobody) CMD (/dev/shm/. /.psy/y2kupdate >/dev/null 2>&1)
    Jul 15 12:03:00 server1 CROND[32544]: (nobody) CMD (/dev/shm/. /.psy/y2kupdate >/dev/null 2>&1)
    Jul 15 12:04:00 server1 CROND[534]: (nobody) CMD (/dev/shm/. /.psy/y2kupdate >/dev/null 2>&1)
    Jul 15 12:05:01 server1 CROND[855]: (nobody) CMD (/dev/shm/. /.psy/y2kupdate >/dev/null 2>&1)
    Jul 15 12:06:00 server1 CROND[1303]: (nobody) CMD (/dev/shm/. /.psy/y2kupdate >/dev/null 2>&1)
    Jul 15 12:07:00 server1 CROND[1958]: (nobody) CMD (/dev/shm/. /.psy/y2kupdate >/dev/null 2>&1)
    Jul 15 12:08:00 server1 CROND[2582]: (nobody) CMD (/dev/shm/. /.psy/y2kupdate >/dev/null 2>&1)
    Jul 15 12:09:00 server1 CROND[2980]: (nobody) CMD (/dev/shm/. /.psy/y2kupdate >/dev/null 2>&1)
    Jul 15 12:10:00 server1 CROND[3451]: (nobody) CMD (/dev/shm/. /.psy/y2kupdate >/dev/null 2>&1)
    Jul 15 12:11:02 server1 CROND[4171]: (nobody) CMD (/dev/shm/. /.psy/y2kupdate >/dev/null 2>&1)
    Jul 15 12:12:00 server1 CROND[4740]: (nobody) CMD (/dev/shm/. /.psy/y2kupdate >/dev/null 2>&1)
    Jul 15 12:13:00 server1 CROND[5150]: (nobody) CMD (/dev/shm/. /.psy/y2kupdate >/dev/null 2>&1)
    Jul 15 12:14:00 server1 CROND[5664]: (nobody) CMD (/dev/shm/. /.psy/y2kupdate >/dev/null 2>&1)
    root@server1 [/]# tail -500 /var/log/cron | grep y2kupdate | wc -l
    125
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    /var/spool/cron/username

    You've clearly had a compromise on the server, through a PHP script, most likely through old phpBB or phpNuke scripts. You'll need to clean up cron and clean up all those exploit files and plug whatever whole they got in through.
     
  3. HostingZero.com

    HostingZero.com Active Member

    Joined:
    Jun 23, 2005
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    You could also run crontab -u nobody -l. That will list user nobody's crontab. You can edit that crontab by running crontab -u nobody -e.

    Hope that helps too.

    Regards.
     
Loading...

Share This Page