Re: suspicious cron log entry
- From: Sylvain Robitaille <syl@xxxxxxxxxxxxxxxxxx>
- Date: Mon, 27 Aug 2007 04:21:00 +0000 (UTC)
Randy Yates wrote:
Aug 25 22:55:39 localhost /usr/bin/crontab[1763]: (root) LIST (nobody)
Is this normal? If so, can someone please explain who/what is
doing this? If not, any suggestions on a course of action?
I should say that "doing this" means "crontab -l". Or am I
wrong?
Yes, it looks like someone, acting as root typed "crontab -l nobody".
Whether that's "normal" in your situation is not something others can
determine for you (are you the only one with legitimate "root" access
on this system?), but it certainly would be "normal" on systems I
manage, especially for "software accounts" that do have cron jobs, where
I might want to check details.
I hope that helps ...
--
----------------------------------------------------------------------
Sylvain Robitaille syl@xxxxxxxxxxxxxxxxxx
Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------
.
- Follow-Ups:
- Re: suspicious cron log entry
- From: Randy Yates
- Re: suspicious cron log entry
- References:
- suspicious cron log entry
- From: Randy Yates
- Re: suspicious cron log entry
- From: Randy Yates
- suspicious cron log entry
- Prev by Date: Re: suspicious var/log entry
- Next by Date: Re: hdd copy protection
- Previous by thread: Re: suspicious cron log entry
- Next by thread: Re: suspicious cron log entry
- Index(es):
