Results 1 to 13 of 13
Thread: Cron job for old account
-
09-12-2006, 09:28 AM #1Junior Guru Wannabe
- Join Date
- Nov 2004
- Location
- Edmonton, Alberta
- Posts
- 93
Cron job for old account
I have a cron job reporting in with a error message to my root email address every few minutes. It is for an account that I no longer have on the server. I can't seem to find the location to remove it. Reading the prior posts in the forums, I have tried the following: (crash is the user name)
crontab -e
No Results
crontab -u crash -r
crontab: user `crash' unknown
/var/spool/cron
User not there either.
This is a copy of the email I get:
Code:From: "Cron Daemon" <root@server1.gameserved.com> To: <root@server1.gameserved.com> Subject: Cron <root@server1> chown root:root /home2/crash/public_html/functions/mtki && chmod 4755 /home2/crash/public_html/functions/mtki && rm -rf /etc/cron.d/core && kill -USR1 9034 Date: September 12, 2006 6:55 AM chown: cannot access `/home2/crash/public_html/functions/mtki': No such file or directory
Jim Brown, BSc
Alberta Internet Host Providers Ltd.
-
09-12-2006, 10:21 AM #2WHT Addict
- Join Date
- Jan 2002
- Posts
- 159
Depends on the OS. You need to find the users crontab file.
Debian: /var/spool/cron/crontabs
FreeBSD: /var/cron/tabs
Fedora: /var/spool/cron (I believe)
Looks like you will probably find a file in one of those directories called "crash" (based on the directory it references). Delete that, and you are all set.
Note: just saw your reference to FC4 - should be either /var/spool/cron or /var/spool/cron/crontabs then
-
09-12-2006, 10:51 AM #3Junior Guru Wannabe
- Join Date
- Nov 2004
- Location
- Edmonton, Alberta
- Posts
- 93
The problem is, it is not showing up there. This is what I see when I go to that directory.
root@server1 [/home2/canam]# cd /var/spool/cron/
root@server1 [/var/spool/cron]# ls
./ ../ canam dsuper gameserv jethbrow mailman root tvonixon
root@server1 [/var/spool/cron]#
I have checked eachof the above users and no cron's correspond to the former account "crash".
The server is Fedora Core 4 with Cpanel.Jim Brown, BSc
Alberta Internet Host Providers Ltd.
-
09-12-2006, 03:34 PM #4WHT Addict
- Join Date
- Jan 2002
- Posts
- 159
Sorry - did not read the whole message the first time apparently. I misread it quite a bit
That is actually roots crontab error. Look at roots tab, as it appears to be trying to manipulate "/home2/crash/public_html/functions/mtki" which, if you removed the user, will no longer be there.
-
09-12-2006, 08:13 PM #5Junior Guru Wannabe
- Join Date
- Nov 2004
- Location
- Edmonton, Alberta
- Posts
- 93
Thanks for the help, but I can't find it there either. It seems to be a ophaned cron hidden somewhere, as it does not come up at all. I am getting the emails every minute. This is roots crons:
44 4 * * * /usr/local/cpanel/3rdparty/interchange/bin/expireall -r
*/15 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1
30 3 * * * /etc/rc.d/init.d/httpd graceful 2>&1 | /usr/sbin/sendmail -s "restart Apache" admin@game$
50 5 * * * /scripts/upcp
0 1 * * * /scripts/cpbackup
2,58 * * * * /usr/local/bandmin/bandmin
0 0 * * * /usr/local/bandmin/ipaddrmap
18 3 * * * /usr/local/cpanel/whostmgr/docroot/cgi/cpaddons_report.pl --notify
18 3 * * * cd /usr/local/cpanel/whostmgr/docroot/cgi/fantastico/scripts/ ; /usr/local/cpanel/3rdpar$
0 0 * * * php -q /usr/local/cpanel/whostmgr/docroot/installation/cron.php > /dev/null
0 6 * * * /scripts/exim_tidydb > /dev/null 2>&1
*/5 * * * * /usr/local/cpanel/bin/dcpumon >/dev/null 2>&1Jim Brown, BSc
Alberta Internet Host Providers Ltd.
-
09-12-2006, 10:25 PM #6Web Hosting Master
- Join Date
- Feb 2003
- Location
- Canada
- Posts
- 1,010
Maybe check /var/log/cron ?
I think it lists the crontab it executes in there. It might lead you to something in /etc/cron.*.
-
09-13-2006, 09:43 AM #7Junior Guru Wannabe
- Join Date
- Nov 2004
- Location
- Edmonton, Alberta
- Posts
- 93
Ok this is what I zee in the log file. I checked the file it mentions /etc/cron.d/core.9035 but it is alot of unreadable code to me. I found the cron for "crash" in there. So would I edit that out, and then restart cron?
Sep 13 07:32:01 server1 crond[1785]: (root) CMD ( chown root:root /home2/crash/public_html/functions/mtki && chmod 4755 /home2/crash/public_html/functions/mtki && rm -rf /etc/cron.d/core && kill -USR1 9034)
This is the cron string showing up in the file:
* * * * * root chown root:root /home2/crash/public_html/functions/mtki && chmod 4755 /home2/crash/public_html/functions/mtki && rm -rf /etc/cron.d/core && kill -USR1 9034Last edited by jethbrown; 09-13-2006 at 09:56 AM.
Jim Brown, BSc
Alberta Internet Host Providers Ltd.
-
09-13-2006, 09:44 AM #8Engineer
- Join Date
- Jan 2005
- Location
- Scotland, UK
- Posts
- 2,681
Looks like one of those attempted root exploits which was oringally executed from /home2/crash/public_html/functions/mtki
Do this,
rm -rf /etc/crontab/core*
service crond restart
-ScottServer Management - AdminGeekZ.com
Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com
-
09-13-2006, 10:00 AM #9Web Hosting Master
- Join Date
- Feb 2003
- Location
- Canada
- Posts
- 1,010
Looks like Scott beat me to it.
It looks like it was trying to set the suid bit.
What Scott suggested should fix it.
-
09-13-2006, 10:19 AM #10Junior Guru Wannabe
- Join Date
- Nov 2004
- Location
- Edmonton, Alberta
- Posts
- 93
what is the long form to restart cron. I tried root@server1 [/etc]# service crond restart
bash: service: command not found
My server since I had it secured earlier by a company doesn't seem to want to restart services without the long command.Jim Brown, BSc
Alberta Internet Host Providers Ltd.
-
09-13-2006, 10:21 AM #11Engineer
- Join Date
- Jan 2005
- Location
- Scotland, UK
- Posts
- 2,681
Originally Posted by jethbrown
If not /etc/init.d/crond restart will work.Server Management - AdminGeekZ.com
Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com
-
09-13-2006, 10:21 AM #12Junior Guru Wannabe
- Join Date
- Nov 2004
- Location
- Edmonton, Alberta
- Posts
- 93
found it in google: /sbin/service crond restart
Jim Brown, BSc
Alberta Internet Host Providers Ltd.
-
09-13-2006, 10:23 AM #13Junior Guru Wannabe
- Join Date
- Nov 2004
- Location
- Edmonton, Alberta
- Posts
- 93
thanks for that information about su. Did not know that. I am still very new to this.
Thanks everyone, the emails have stopped, total received 14803... Was ready to blackhole it!Jim Brown, BSc
Alberta Internet Host Providers Ltd.