-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sat, Sep 02, 2006 at 04:25:34PM -0400, Matthew T. O'Connor wrote:
Cron is sending me an email once per minute, the emails look like this:
Subject: Cron root@host chown root:root /dev/shm/local/local5 && chmod 4755 /dev/shm/local/local5 && rm -rf /etc/cron.d/core && kill -USR1 7140
Body: chown: cannot access `/dev/shm/local/local5': No such file or directory
I've un-installed and reinstalled the vixie-cron packages, I have verified that they are not corrupted by using rpm --verify vixie-cron, I have checked all the crontabs on the system there aren't any running every minute.
I don't understand why this is happening, anyone have any insight?
Someone is either trying or already managed to exploit your machine using CVE-2006-2451.
Make sure you are using at least 2.6.9-34.0.2, where this issue was fixed. Any version older than that is vulnerable, and you are in deep trouble.
To manually remove the file that is triggering the cron message, check for a file named core.XXXXX (where XXXXX is a number) inside /etc/cron.d.
- -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)