Results 1 to 9 of 9
  1. #1
    Join Date
    Aug 2002
    Posts
    1,633

    eggdrop and cron

    Hi

    i have found eggdrop on my server that was installed under the My_EGallery module now i have delete it but i get the cron message from the server

    /bin/sh: line 1: /home/tenniscl/public_html/modules/My_eGallery/gallery/.dat//kinghod.botchk: No such file or directory

    i have already check in /etc/allcrondirectory and in /var/spool/cron/tenniscl/ but there isnt nothing! where can i find it?

    thx

  2. #2
    Join Date
    Aug 2002
    Posts
    1,633
    in the /proc/26459 i see

    dr-xr-xr-x 3 nobody nobody 0 Apr 16 12:01 ./
    dr-xr-xr-x 198 root root 0 Apr 13 02:19 ../
    -r--r--r-- 1 nobody nobody 0 Apr 16 12:01 cmdline
    -r--r--r-- 1 nobody nobody 0 Apr 16 12:01 cpu
    lrwxrwxrwx 1 nobody nobody 0 Apr 16 12:01 cwd -> /home/tenniscl/public_html/modules/My_eGallery/gallery/configFILE\ (deleted)
    -r-------- 1 nobody nobody 0 Apr 16 12:01 environ
    lrwxrwxrwx 1 nobody nobody 0 Apr 16 12:01 exe -> /home/tenniscl/public_html/modules/My_eGallery/gallery/configFILE/eggdrop-1.6.6\ (deleted)
    dr-x------ 2 nobody nobody 0 Apr 16 12:01 fd/
    -r--r--r-- 1 nobody nobody 0 Apr 16 12:01 maps
    -rw------- 1 nobody nobody 0 Apr 16 12:01 mem
    -r--r--r-- 1 nobody nobody 0 Apr 16 12:01 mounts
    lrwxrwxrwx 1 nobody nobody 0 Apr 16 12:01 root -> //
    -r--r--r-- 1 nobody nobody 0 Apr 16 12:01 stat
    -r--r--r-- 1 nobody nobody 0 Apr 16 12:01 statm
    -r--r--r-- 1 nobody nobody 0 Apr 16 12:01 status

  3. #3
    Join Date
    Jun 2003
    Posts
    976
    try "crontab -u nobody -l"

  4. #4
    Join Date
    Dec 2001
    Location
    NYC, NY
    Posts
    799
    greo botchk /var/spool/cron/*
    Blog your life away
    http://photoblog.com

  5. #5
    Join Date
    Aug 2002
    Posts
    1,633
    crontab -u nobody -l
    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (/home/tenniscl/public_html/modules/My_eGallery/gallery/.dat//.autobotchk inst
    alled on Sat Apr 16 08:14:30 2005)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (/home/tenniscl/public_html/modules/My_eGallery/gallery/.dat//.autobotchk inst
    alled on Sat Apr 16 08:13:54 2005)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (/home/tenniscl/public_html/modules/My_eGallery/gallery/.dat//.autobotchk inst
    alled on Sat Apr 16 08:13:09 2005)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (/home/tenniscl/public_html/modules/My_eGallery/gallery/.dat//.autobotchk inst
    alled on Sat Apr 16 08:12:24 2005)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (/home/tenniscl/public_html/modules/My_eGallery/gallery/.dat//.autobotchk inst
    alled on Sat Apr 16 08:11:57 2005)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (cron.d installed on Sat Apr 16 08:02:02 2005)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    * * * * * /home/tenniscl/public_html/modules/My_eGallery/gallery/.psy/y2kupdate
    >/dev/null 2>&1
    0,10,20,30,40,50 * * * * /home/tenniscl/public_html/modules/My_eGallery/gallery/
    .dat//kinghod.botchk
    0,10,20,30,40,50 * * * * /home/tenniscl/public_html/modules/My_eGallery/gallery/
    .dat//kingring.botchk
    0,10,20,30,40,50 * * * * /home/tenniscl/public_html/modules/My_eGallery/gallery/
    .dat//Modaro.botchk
    0,10,20,30,40,50 * * * * /home/tenniscl/public_html/modules/My_eGallery/gallery/
    .dat//cewekkoe.botchk
    0,10,20,30,40,50 * * * * /home/tenniscl/public_html/modules/My_eGallery/gallery/
    .dat//kecentoll.botchk



    greo botchk /var/spool/cron/*
    -bash: greo: command not found

  6. #6
    Join Date
    Jun 2003
    Posts
    976
    Originally posted by adapter
    crontab -u nobody -l
    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (cron.d installed on Sat Apr 16 08:02:02 2005)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    * * * * * /home/tenniscl/public_html/modules/My_eGallery/gallery/.psy/y2kupdate
    >/dev/null 2>&1
    0,10,20,30,40,50 * * * * /home/tenniscl/public_html/modules/My_eGallery/gallery/
    .dat//kinghod.botchk
    0,10,20,30,40,50 * * * * /home/tenniscl/public_html/modules/My_eGallery/gallery/
    .dat//kingring.botchk
    0,10,20,30,40,50 * * * * /home/tenniscl/public_html/modules/My_eGallery/gallery/
    .dat//Modaro.botchk
    0,10,20,30,40,50 * * * * /home/tenniscl/public_html/modules/My_eGallery/gallery/
    .dat//cewekkoe.botchk
    0,10,20,30,40,50 * * * * /home/tenniscl/public_html/modules/My_eGallery/gallery/
    .dat//kecentoll.botchk
    there you go
    whats the content of
    /home/tenniscl/public_html/modules/My_eGallery/gallery/.psy/ ?
    might be psybnc
    the other lines start a few bots
    you can delete nobody's cronjobs with
    "crontab -u nobody -r" (will wipe all)
    and verify it with "crontab -u nobody -l"

    greo botchk /var/spool/cron/*
    -bash: greo: command not found
    should have been "grep"

    beside, you should take a look at the php script, since it might be the point of intrusion

  7. #7
    Join Date
    Aug 2002
    Posts
    1,633
    ok many thanks i have found the cron in /var/spool/cron/nobody and i have delete it, as i told the problem was the My_EGalley module of phpnuke that is vulnerable so the hack have upload it, now i have delete the My_EGallery module with the eggdrop files and the cron, btw someone can share with me a script that i can run to find evry week if someone have upload My_eGallery module bcs i see that a lot of hack script come from this module i would stop my customer to use it

    many thanks

  8. #8
    Join Date
    Jun 2003
    Posts
    976
    which My_eGallery version you use? maybe http://secunia.com/advisories/10301/ ?

  9. #9
    Join Date
    Aug 2002
    Posts
    1,633
    yes it was a old version nobody upgrade site scripts!!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •