What are these Cron Jobs doing?
in [RedHat]
|
From: Scott on 1 Mar 2007 18:18 Appologies if this is the wrong place or it is a stupid question, but I have the following 2 Cron Jobs on my Fedora box and I have no idea what they do or even if they are supposed to be there! The Cron Jobs are:- chown root:root /tmp/sys_prctl && chmod 4755 /tmp/sys_prctl && rm -rf /etc/cron.d/core && kill -USR1 18562 and chown root:root /dev/shm/sys && chmod 4755 /dev/shm/sys && rm -rf /etc/cron.d/core && kill -USR1 17916 Both are set to run every minute. I cannot find anything on Google so though I woulkd ask here - should these entries worry me or are they normal? Cheers for any help Scott
From: Tommy Reynolds on 1 Mar 2007 21:25 On Thu, 01 Mar 2007 23:18:30 +0000, Scott wrote: > Appologies if this is the wrong place or it is a stupid question, but I > have the following 2 Cron Jobs on my Fedora box and I have no idea what > they do or even if they are supposed to be there! > The Cron Jobs are:- > chown root:root /tmp/sys_prctl && chmod 4755 /tmp/sys_prctl && rm -rf > /etc/cron.d/core && kill -USR1 18562 > and > chown root:root /dev/shm/sys && chmod 4755 /dev/shm/sys && rm -rf > /etc/cron.d/core && kill -USR1 17916 > Both are set to run every minute. > I cannot find anything on Google so though I woulkd ask here - should these > entries worry me or are they normal? I'm sorry to say that you've probably been hacked. What files did you find this in? The "kill -USR1 17916" is a very non-standard thing to drop in to a cron file: the 17916 is a hard-wired process ID and no reputable CRON writer would do that. HTH
From: left_coast on 2 Mar 2007 02:31 Tommy Reynolds wrote: > On Thu, 01 Mar 2007 23:18:30 +0000, Scott wrote: > >> Appologies if this is the wrong place or it is a stupid question, but I >> have the following 2 Cron Jobs on my Fedora box and I have no idea what >> they do or even if they are supposed to be there! >> The Cron Jobs are:- >> chown root:root /tmp/sys_prctl && chmod 4755 /tmp/sys_prctl && rm -rf >> /etc/cron.d/core && kill -USR1 18562 >> and >> chown root:root /dev/shm/sys && chmod 4755 /dev/shm/sys && rm -rf >> /etc/cron.d/core && kill -USR1 17916 >> Both are set to run every minute. >> I cannot find anything on Google so though I woulkd ask here - should >> these entries worry me or are they normal? > > I'm sorry to say that you've probably been hacked. What files did > you find this in? The "kill -USR1 17916" is a very non-standard > thing to drop in to a cron file: the 17916 is a hard-wired process ID > and no reputable CRON writer would do that. > > HTH I agree, also, a chmod 4755 on a file in /tmp???? In a crob job? I can think of no legitimate reason for doing this. The only thing that is done that even comes close to having a legitimate reason is the removing of core files, but when core dumps are enabled a cron job to remove core files usually is set up to clean up more than a single directory. Not much to make me think they are legitimate cron jobs.
From: Scott on 2 Mar 2007 15:13 left_coast <no(a)a.bat> wrote in news:4f0lb4-upd.ln1(a)alta.sierrandays.org: > Tommy Reynolds wrote: > > >> >> I'm sorry to say that you've probably been hacked. What files did >> you find this in? The "kill -USR1 17916" is a very non-standard >> thing to drop in to a cron file: the 17916 is a hard-wired process ID >> and no reputable CRON writer would do that. >> >> HTH > > I agree, also, a chmod 4755 on a file in /tmp???? In a crob job? I can > think of no legitimate reason for doing this. The only thing that is > done that even comes close to having a legitimate reason is the > removing of core files, but when core dumps are enabled a cron job to > remove core files usually is set up to clean up more than a single > directory. Not much to make me think they are legitimate cron jobs. > > Thanks for the replies guys. I did some more digging and the box is compromised so I will vape it and reinstall this weekend.
|
Pages: 1 Prev: Problem setting up php/mysql on FC6 Next: Too Many Entries in the Grub Boot Selection Menu. |