Results 1 to 13 of 13
  1. #1
    Join Date
    Nov 2004
    Location
    Edmonton, Alberta
    Posts
    93

    Cron job for old account

    I have a cron job reporting in with a error message to my root email address every few minutes. It is for an account that I no longer have on the server. I can't seem to find the location to remove it. Reading the prior posts in the forums, I have tried the following: (crash is the user name)

    crontab -e
    No Results
    crontab -u crash -r
    crontab: user `crash' unknown
    /var/spool/cron
    User not there either.

    This is a copy of the email I get:

    Code:
    From: "Cron Daemon" <root@server1.gameserved.com>
    To: <root@server1.gameserved.com>
    Subject: Cron <root@server1>  chown root:root /home2/crash/public_html/functions/mtki && chmod 4755 
    /home2/crash/public_html/functions/mtki && rm -rf /etc/cron.d/core && kill -USR1 9034
    Date: September 12, 2006 6:55 AM
    
    chown: cannot access `/home2/crash/public_html/functions/mtki': No such file or directory
    Any suggestions on how I can kill this cron job?

  2. #2
    Depends on the OS. You need to find the users crontab file.

    Debian: /var/spool/cron/crontabs
    FreeBSD: /var/cron/tabs
    Fedora: /var/spool/cron (I believe)

    Looks like you will probably find a file in one of those directories called "crash" (based on the directory it references). Delete that, and you are all set.

    Note: just saw your reference to FC4 - should be either /var/spool/cron or /var/spool/cron/crontabs then

  3. #3
    Join Date
    Nov 2004
    Location
    Edmonton, Alberta
    Posts
    93
    The problem is, it is not showing up there. This is what I see when I go to that directory.

    root@server1 [/home2/canam]# cd /var/spool/cron/
    root@server1 [/var/spool/cron]# ls
    ./ ../ canam dsuper gameserv jethbrow mailman root tvonixon
    root@server1 [/var/spool/cron]#

    I have checked eachof the above users and no cron's correspond to the former account "crash".

    The server is Fedora Core 4 with Cpanel.

  4. #4
    Sorry - did not read the whole message the first time apparently. I misread it quite a bit

    That is actually roots crontab error. Look at roots tab, as it appears to be trying to manipulate "/home2/crash/public_html/functions/mtki" which, if you removed the user, will no longer be there.

  5. #5
    Join Date
    Nov 2004
    Location
    Edmonton, Alberta
    Posts
    93
    Thanks for the help, but I can't find it there either. It seems to be a ophaned cron hidden somewhere, as it does not come up at all. I am getting the emails every minute. This is roots crons:

    44 4 * * * /usr/local/cpanel/3rdparty/interchange/bin/expireall -r
    */15 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1
    30 3 * * * /etc/rc.d/init.d/httpd graceful 2>&1 | /usr/sbin/sendmail -s "restart Apache" admin@game$
    50 5 * * * /scripts/upcp
    0 1 * * * /scripts/cpbackup
    2,58 * * * * /usr/local/bandmin/bandmin
    0 0 * * * /usr/local/bandmin/ipaddrmap
    18 3 * * * /usr/local/cpanel/whostmgr/docroot/cgi/cpaddons_report.pl --notify
    18 3 * * * cd /usr/local/cpanel/whostmgr/docroot/cgi/fantastico/scripts/ ; /usr/local/cpanel/3rdpar$
    0 0 * * * php -q /usr/local/cpanel/whostmgr/docroot/installation/cron.php > /dev/null
    0 6 * * * /scripts/exim_tidydb > /dev/null 2>&1
    */5 * * * * /usr/local/cpanel/bin/dcpumon >/dev/null 2>&1

  6. #6
    Join Date
    Feb 2003
    Location
    Canada
    Posts
    1,010
    Maybe check /var/log/cron ?

    I think it lists the crontab it executes in there. It might lead you to something in /etc/cron.*.

  7. #7
    Join Date
    Nov 2004
    Location
    Edmonton, Alberta
    Posts
    93
    Ok this is what I zee in the log file. I checked the file it mentions /etc/cron.d/core.9035 but it is alot of unreadable code to me. I found the cron for "crash" in there. So would I edit that out, and then restart cron?

    Sep 13 07:32:01 server1 crond[1785]: (root) CMD ( chown root:root /home2/crash/public_html/functions/mtki && chmod 4755 /home2/crash/public_html/functions/mtki && rm -rf /etc/cron.d/core && kill -USR1 9034)

    This is the cron string showing up in the file:

    * * * * * root chown root:root /home2/crash/public_html/functions/mtki && chmod 4755 /home2/crash/public_html/functions/mtki && rm -rf /etc/cron.d/core && kill -USR1 9034
    Last edited by jethbrown; 09-13-2006 at 09:56 AM.

  8. #8
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,681
    Looks like one of those attempted root exploits which was oringally executed from /home2/crash/public_html/functions/mtki

    Do this,

    rm -rf /etc/crontab/core*
    service crond restart

    -Scott
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com

  9. #9
    Join Date
    Feb 2003
    Location
    Canada
    Posts
    1,010
    Looks like Scott beat me to it.

    It looks like it was trying to set the suid bit.

    What Scott suggested should fix it.

  10. #10
    Join Date
    Nov 2004
    Location
    Edmonton, Alberta
    Posts
    93
    what is the long form to restart cron. I tried root@server1 [/etc]# service crond restart
    bash: service: command not found

    My server since I had it secured earlier by a company doesn't seem to want to restart services without the long command.

  11. #11
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,681
    Quote Originally Posted by jethbrown
    what is the long form to restart cron. I tried root@server1 [/etc]# service crond restart
    bash: service: command not found

    My server since I had it secured earlier by a company doesn't seem to want to restart services without the long command.
    I will assume you use su , when logging into su put - at the end so it's su - this will set your /sbin path and service will work.

    If not /etc/init.d/crond restart will work.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com

  12. #12
    Join Date
    Nov 2004
    Location
    Edmonton, Alberta
    Posts
    93
    found it in google: /sbin/service crond restart

  13. #13
    Join Date
    Nov 2004
    Location
    Edmonton, Alberta
    Posts
    93
    thanks for that information about su. Did not know that. I am still very new to this.

    Thanks everyone, the emails have stopped, total received 14803... Was ready to blackhole it!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •