[CentOS] strange behavior with cron

SilverTip257 silvertip257 at gmail.com
Wed Apr 23 00:01:29 UTC 2014 

On Tue, Apr 22, 2014 at 7:40 PM, Michel Donais <donais at telupton.com> wrote:

> Do somebody had this situation where an Email is sent every minutes to a
> specific user named michel.
> These emails are
> incoming from:                Root
> with an header like:          Cron <michel at donais> ~/.h5siP >/dev/null
> 2>/dev/null;
> and a text message as:     /bin/sh: no: command not found
>
> There is a cron task named h5siP  in the path of this user; he is the only
> one affected by this situation.
> I found that this script have a relation with an other one named as R5Agz
>

Did this user intentionally set up something that automatically recreates
cronjobs?


>
> If I remove the cron job h5siP from the cron listing and I restart cron the
> script is back a few minutes later.
>

If a person was to guess blindly, they might suspect that a nefarious
person has compromised your server and set a cronjob.  Without knowing more
about your set up and how you have protected your servers (if SSH is open
to the world, has SSH been brute forced, who has last logged in, etc), it
will be tough to give good answers.

Years ago, I found remnants of cronjobs in /var/spool/cron/ on a shared web
server that was compromised (and subsequently cleaned up).  By the sounds
of it, those files are user cronjobs which will be in the cron spool.


> .h5siP-p and .R5Agz-p  are located in dev/shm/   and both contain a process
> number as 23374   and 35678
> .R5Agz and .h5siP can be found in a user named michel repertory wich the
> one
> who receive a lot of emails
> .h5siP is also located in /temp
>
> The only changes we made to our system was yesterday. We made an automatic
> yum updte of three programs ; java 1.6. kpartx and device-mapper-multipath.
> I don't know if there is a relation or do I face a kind of virus?
>

For starters, you need to find out what those cronjobs are doing -- that
will indicate the urgency.  Use strace to connect to those processes.
 strace -p <pid#>

And from there, determine what is creating that file.  You would think that
whatever it is, would routinely check for the file to exist and you could
catch it by grepping the output from lsof.


>
> I hope somebody can help
>
> ---
>
> Michel Donais
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
---~~.~~---
Mike
//  SilverTip257  //

More information about the CentOS mailing list