Every day I see this in chkrootkit's log -
Checking `crontab'... Warning: crontab for nobody found, possible Lupper.Worm... not infected
I know I met this once before, but I can't remember whether there is any cure for it. It doesn't seem possible to remove nobody in kcron, and there are no tasks set. What could/should I do about it?
Anne
On Sun, Jul 20, 2008 at 4:55 AM, Anne Wilson cannewilson@googlemail.com wrote:
Every day I see this in chkrootkit's log -
Checking `crontab'... Warning: crontab for nobody found, possible Lupper.Worm... not infected
I know I met this once before, but I can't remember whether there is any cure for it. It doesn't seem possible to remove nobody in kcron, and there are no tasks set. What could/should I do about it?
What does 'crontab -u nobody -l' show ?
On Sunday 20 July 2008 14:05:45 Jim Perrin wrote:
On Sun, Jul 20, 2008 at 4:55 AM, Anne Wilson cannewilson@googlemail.com
wrote:
Every day I see this in chkrootkit's log -
Checking `crontab'... Warning: crontab for nobody found, possible Lupper.Worm... not infected
I know I met this once before, but I can't remember whether there is any cure for it. It doesn't seem possible to remove nobody in kcron, and there are no tasks set. What could/should I do about it?
What does 'crontab -u nobody -l' show ?
Nothing at all - it just returns to the prompt.
Anne
On Sun, Jul 20, 2008, Anne Wilson wrote:
On Sunday 20 July 2008 16:24:31 Robert - elists wrote:
What does 'crontab -u nobody -l' show ?
Nothing at all - it just returns to the prompt.
Anne
Anne,
It should say "no crontab for nobody" or show the crontab
Eh?
It doesn't do either
Does anything show up with ``find /var/spool/cron -type f''?
Bill
On Sunday 20 July 2008 17:44:23 Bill Campbell wrote:
On Sun, Jul 20, 2008, Anne Wilson wrote:
On Sunday 20 July 2008 16:24:31 Robert - elists wrote:
What does 'crontab -u nobody -l' show ?
Nothing at all - it just returns to the prompt.
Anne
Anne,
It should say "no crontab for nobody" or show the crontab
Eh?
It doesn't do either
Does anything show up with ``find /var/spool/cron -type f''?
/var/spool/cron/apache /var/spool/cron/rpc /var/spool/cron/nobody /var/spool/cron/ftp /var/spool/cron/hsqldb /var/spool/cron/adm /var/spool/cron/bin /var/spool/cron/shutdown /var/spool/cron/rpm /var/spool/cron/gillian /var/spool/cron/sync /var/spool/cron/xfs /var/spool/cron/sabayon /var/spool/cron/news /var/spool/cron/avahi /var/spool/cron/gdm /var/spool/cron/halt /var/spool/cron/andy /var/spool/cron/haldaemon /var/spool/cron/anne /var/spool/cron/dovecot /var/spool/cron/mailnull /var/spool/cron/nfsnobody /var/spool/cron/clamav /var/spool/cron/gopher /var/spool/cron/operator /var/spool/cron/beaglidx /var/spool/cron/postgres /var/spool/cron/root /var/spool/cron/games /var/spool/cron/mail /var/spool/cron/sshd /var/spool/cron/rpcuser /var/spool/cron/daemon /var/spool/cron/nscd /var/spool/cron/david /var/spool/cron/groupware /var/spool/cron/pcap /var/spool/cron/smmsp /var/spool/cron/postfix /var/spool/cron/ntp /var/spool/cron/uucp /var/spool/cron/lp /var/spool/cron/dbus /var/spool/cron/vcsa
Anne
On Sun, Jul 20, 2008 at 07:18:05PM +0100, Anne Wilson wrote:
On Sunday 20 July 2008 17:44:23 Bill Campbell wrote:
Does anything show up with ``find /var/spool/cron -type f''?
/var/spool/cron/apache /var/spool/cron/rpc
[43 more lines deleted]
Wow, looks like somebody or something has created crontab entries for every user on your machine. That's wrong. Typically, out of the box, there are no entries.
What does find /var/spool/cron -type f ! -size 0 show?
Hopefully it will be nothing.
This can be used to delete all the zero length entries: find /var/spool/cron -type f -size 0 -exec rm {} ;
Now this is a cleanup of the problem, but it doesn't explain _how_ those entries were created in the first place. Are you using some form of automated admin interface?
On Sunday 20 July 2008 21:23:52 Stephen Harris wrote:
On Sun, Jul 20, 2008 at 07:18:05PM +0100, Anne Wilson wrote:
On Sunday 20 July 2008 17:44:23 Bill Campbell wrote:
Does anything show up with ``find /var/spool/cron -type f''?
/var/spool/cron/apache /var/spool/cron/rpc
[43 more lines deleted]
Wow, looks like somebody or something has created crontab entries for every user on your machine. That's wrong. Typically, out of the box, there are no entries.
What does find /var/spool/cron -type f ! -size 0 show?
Does that mean 'not = size 0'?
/var/spool/cron/anne /var/spool/cron/root /var/spool/cron/david
These are as expected. They run rsync commands for backup.
Hopefully it will be nothing.
This can be used to delete all the zero length entries: find /var/spool/cron -type f -size 0 -exec rm {} ;
Now this is a cleanup of the problem, but it doesn't explain _how_ those entries were created in the first place. Are you using some form of automated admin interface?
I can't think of anything that explains this. I have a 6-month-old CentOS 5.2 install, with nothing out of the ordinary, as far as I can recall.
Anne
On Sun, Jul 20, 2008 at 10:04:00PM +0100, Anne Wilson wrote:
On Sunday 20 July 2008 21:23:52 Stephen Harris wrote:
What does find /var/spool/cron -type f ! -size 0 show?
Does that mean 'not = size 0'?
"not (size = 0)", but yeah.
/var/spool/cron/anne /var/spool/cron/root /var/spool/cron/david
These are as expected. They run rsync commands for backup.
OK, so all the others can (and probably should) be deleted.
I can't think of anything that explains this. I have a 6-month-old CentOS 5.2 install, with nothing out of the ordinary, as far as I can recall.
I doubt it; 5.2 hasn't been around for 6 months; the release announcement for 5.2 is dated Jun 24; http://lists.centos.org/pipermail/centos-announce/2008-June/014999.html
Could have been a 5.1 install
On Sun, 2008-07-20 at 17:28 -0400, Stephen Harris wrote:
On Sun, Jul 20, 2008 at 10:04:00PM +0100, Anne Wilson wrote:
I can't think of anything that explains this. I have a 6-month-old CentOS 5.2 install, with nothing out of the ordinary, as far as I can recall.
I doubt it; 5.2 hasn't been around for 6 months; the release announcement for 5.2 is dated Jun 24; http://lists.centos.org/pipermail/centos-announce/2008-June/014999.html
Could have been a 5.1 install
Type in 'cat /etc/issue' to see what it says.
John.
On Sun, Jul 20, 2008 at 10:32:49PM +0100, John Horne wrote:
On Sun, 2008-07-20 at 17:28 -0400, Stephen Harris wrote:
On Sun, Jul 20, 2008 at 10:04:00PM +0100, Anne Wilson wrote:
I can't think of anything that explains this. I have a 6-month-old CentOS 5.2
I doubt it; 5.2 hasn't been around for 6 months; the release announcement
Could have been a 5.1 install
Type in 'cat /etc/issue' to see what it says.
Doesn't tell you what it was at build time; merely what it is now. My machine says 5.2 but it was just plain "5" when I built it last year :-)
On Sunday 20 July 2008 22:32:49 John Horne wrote:
On Sun, 2008-07-20 at 17:28 -0400, Stephen Harris wrote:
On Sun, Jul 20, 2008 at 10:04:00PM +0100, Anne Wilson wrote:
I can't think of anything that explains this. I have a 6-month-old CentOS 5.2 install, with nothing out of the ordinary, as far as I can recall.
I doubt it; 5.2 hasn't been around for 6 months; the release announcement for 5.2 is dated Jun 24; http://lists.centos.org/pipermail/centos-announce/2008-June/014999.html
Could have been a 5.1 install
Type in 'cat /etc/issue' to see what it says.
CentOS release 5.2 (Final) Kernel \r on an \m
Yes, I was inaccurate. It would have been a 5.1 install, constantly updated.
Anne
On Sun, 2008-07-20 at 22:04 +0100, Anne Wilson wrote:
On Sunday 20 July 2008 21:23:52 Stephen Harris wrote:
What does find /var/spool/cron -type f ! -size 0 show?
Does that mean 'not = size 0'?
Yes.
I can't think of anything that explains this. I have a 6-month-old CentOS 5.2 install, with nothing out of the ordinary, as far as I can recall.
Your previous message showed:
-rw------- 1 root root 0 Jul 7 16:07 /var/spool/cron/nobody
This will be the last modification date/time, and possibly the creation date/time if the file was not modified at all. So something around July 7 presumably caused it. If you have the old /var/log/messages files from around that date, then looking through those might show something. As might a /var/log/yum.log file which could indicate if something was automatically installed.
John.
On Sunday 20 July 2008 22:31:22 John Horne wrote:
On Sun, 2008-07-20 at 22:04 +0100, Anne Wilson wrote:
On Sunday 20 July 2008 21:23:52 Stephen Harris wrote:
What does find /var/spool/cron -type f ! -size 0 show?
Does that mean 'not = size 0'?
Yes.
I can't think of anything that explains this. I have a 6-month-old CentOS 5.2 install, with nothing out of the ordinary, as far as I can recall.
Your previous message showed:
-rw------- 1 root root 0 Jul 7 16:07 /var/spool/cron/nobody
This will be the last modification date/time, and possibly the creation date/time if the file was not modified at all. So something around July 7 presumably caused it. If you have the old /var/log/messages files from around that date, then looking through those might show something. As might a /var/log/yum.log file which could indicate if something was automatically installed.
/var/log/yum.log shows nothing between 3rd and 11th June.
Jun 03 16:04:30 Updated: commoncpp2.i386 1.6.2-1.el5.rf Jun 11 17:33:22 Updated: clamav-db.i386 0.93.1-1.el5.rf Jun 11 17:33:28 Updated: clamav.i386 0.93.1-1.el5.rf Jun 11 17:33:29 Updated: clamd.i386 0.93.1-1.el5.rf
The oldest /var/log/messages only goes back to June 22.
Anne
Anne Wilson wrote: ...
-rw------- 1 root root 0 Jul 7 16:07 /var/spool/cron/nobody
...
/var/log/yum.log shows nothing between 3rd and 11th June.
Jun 03 16:04:30 Updated: commoncpp2.i386 1.6.2-1.el5.rf Jun 11 17:33:22 Updated: clamav-db.i386 0.93.1-1.el5.rf Jun 11 17:33:28 Updated: clamav.i386 0.93.1-1.el5.rf Jun 11 17:33:29 Updated: clamd.i386 0.93.1-1.el5.rf
The oldest /var/log/messages only goes back to June 22.
The interesting date is July 7, not June.
Mogens
On Monday 21 July 2008 08:49:51 Mogens Kjaer wrote:
Anne Wilson wrote: ...
-rw------- 1 root root 0 Jul 7 16:07 /var/spool/cron/nobody
...
/var/log/yum.log shows nothing between 3rd and 11th June.
Jun 03 16:04:30 Updated: commoncpp2.i386 1.6.2-1.el5.rf Jun 11 17:33:22 Updated: clamav-db.i386 0.93.1-1.el5.rf Jun 11 17:33:28 Updated: clamav.i386 0.93.1-1.el5.rf Jun 11 17:33:29 Updated: clamd.i386 0.93.1-1.el5.rf
The oldest /var/log/messages only goes back to June 22.
The interesting date is July 7, not June.
Oops - sorry! Caffeine starvation.
yum.log: Jul 07 13:43:22 Updated: nspr - 4.7.1-1.el5.i386 Jul 07 13:43:33 Updated: nss - 3.12.0.3-1.el5.centos.i386 Jul 07 13:43:37 Updated: xulrunner - 1.9-1.el5.i386 Jul 07 13:43:47 Updated: devhelp - 0.12-17.el5.i386 Jul 07 13:43:49 Updated: nss-tools - 3.12.0.3-1.el5.centos.i386 Jul 07 13:43:54 Updated: firefox - 3.0-2.el5.centos.i386 Jul 07 13:44:02 Updated: yelp - 2.16.0-19.el5.i386 Jul 07 16:01:06 Installed: chkrootkit - 0.47-1.el5.rf.i386
I'll give the whole messages output if it helps, but here is a summary:
Freshclam completedd updates, clamd did a self-check and reload. Jul 7 13:43:22 borg2 yum: Updated: nspr - 4.7.1-1.el5.i386 Jul 7 13:43:33 borg2 yum: Updated: nss - 3.12.0.3-1.el5.centos.i386 Jul 7 13:43:37 borg2 yum: Updated: xulrunner - 1.9-1.el5.i386 Jul 7 13:43:47 borg2 yum: Updated: devhelp - 0.12-17.el5.i386 Jul 7 13:43:49 borg2 yum: Updated: nss-tools - 3.12.0.3-1.el5.centos.i386 Jul 7 13:43:54 borg2 yum: Updated: firefox - 3.0-2.el5.centos.i386 Jul 7 13:44:02 borg2 yum: Updated: yelp - 2.16.0-19.el5.i386
Then some mount problems (nfs mounts) Then another clamd self-check and freshclam update
and that's all.
Anne
On Sunday 20 July 2008 11:50:21 Anne Wilson wrote:
On Sunday 20 July 2008 16:24:31 Robert - elists wrote:
What does 'crontab -u nobody -l' show ?
Nothing at all - it just returns to the prompt.
Anne
Anne,
It should say "no crontab for nobody" or show the crontab
Eh?
It doesn't do either
Anne
Sounds like there is an empty crontab for nobody. Should be able to verify this by 'ls -l /var/spool/cron/crontabs/nobody'. What if you try to remove it by running 'crontab -l nobody -r'?
-Chris
On Sunday 20 July 2008 18:04:10 Chris Clonch wrote:
On Sunday 20 July 2008 11:50:21 Anne Wilson wrote:
On Sunday 20 July 2008 16:24:31 Robert - elists wrote:
What does 'crontab -u nobody -l' show ?
Nothing at all - it just returns to the prompt.
Anne
Anne,
It should say "no crontab for nobody" or show the crontab
Eh?
It doesn't do either
Anne
Sounds like there is an empty crontab for nobody. Should be able to verify this by 'ls -l /var/spool/cron/crontabs/nobody'. What if you try to remove it by running 'crontab -l nobody -r'?
I can't get that to run, Chris.
crontab: usage error: only one operation permitted
Anne
On Sun, 2008-07-20 at 19:20 +0100, Anne Wilson wrote:
On Sunday 20 July 2008 18:04:10 Chris Clonch wrote:
On Sunday 20 July 2008 11:50:21 Anne Wilson wrote:
On Sunday 20 July 2008 16:24:31 Robert - elists wrote:
What does 'crontab -u nobody -l' show ?
Nothing at all - it just returns to the prompt.
Anne
Anne,
It should say "no crontab for nobody" or show the crontab
Eh?
It doesn't do either
Anne
Sounds like there is an empty crontab for nobody. Should be able to verify this by 'ls -l /var/spool/cron/crontabs/nobody'. What if you try to remove it by running 'crontab -l nobody -r'?
I can't get that to run, Chris.
crontab: usage error: only one operation permitted
I think what was meant was:
ls -l /var/spool/cron/nobody
to see what the size etc of the crontab was for nobody,
then
crontab -u nobody -r
to remove it if it was empty.
John.
On Sunday 20 July 2008 20:03:45 John Horne wrote:
On Sun, 2008-07-20 at 19:20 +0100, Anne Wilson wrote:
On Sunday 20 July 2008 18:04:10 Chris Clonch wrote:
On Sunday 20 July 2008 11:50:21 Anne Wilson wrote:
On Sunday 20 July 2008 16:24:31 Robert - elists wrote:
> What does 'crontab -u nobody -l' show ?
Nothing at all - it just returns to the prompt.
Anne
Anne,
It should say "no crontab for nobody" or show the crontab
Eh?
It doesn't do either
Anne
Sounds like there is an empty crontab for nobody. Should be able to verify this by 'ls -l /var/spool/cron/crontabs/nobody'. What if you try to remove it by running 'crontab -l nobody -r'?
I can't get that to run, Chris.
crontab: usage error: only one operation permitted
I think what was meant was:
ls -l /var/spool/cron/nobodyto see what the size etc of the crontab was for nobody,
-rw------- 1 root root 0 Jul 7 16:07 /var/spool/cron/nobody
then
crontab -u nobody -rto remove it if it was empty.
That seems to have done it, thanks.
Anne
-
Anne Wilson -
Bill Campbell -
Chris Clonch -
Jim Perrin -
John Horne -
Mogens Kjaer -
Robert - elists -
Stephen Harris