Re: suspicious cron log entry

Randy Yates wrote:

Aug 25 22:55:39 localhost /usr/bin/crontab[1763]: (root) LIST (nobody)

Is this normal? If so, can someone please explain who/what is
doing this? If not, any suggestions on a course of action?

I should say that "doing this" means "crontab -l". Or am I

Yes, it looks like someone, acting as root typed "crontab -l nobody".
Whether that's "normal" in your situation is not something others can
determine for you (are you the only one with legitimate "root" access
on this system?), but it certainly would be "normal" on systems I
manage, especially for "software accounts" that do have cron jobs, where
I might want to check details.

I hope that helps ...

Sylvain Robitaille syl@xxxxxxxxxxxxxxxxxx

Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada