Re: suspicious cron log entry
- From: Randy Yates <yates@xxxxxxxx>
- Date: Mon, 27 Aug 2007 22:45:17 -0400
Sylvain Robitaille <syl@xxxxxxxxxxxxxxxxxx> writes:
Randy Yates wrote:
Aug 25 22:55:39 localhost /usr/bin/crontab[1763]: (root) LIST (nobody)
Is this normal? If so, can someone please explain who/what is
doing this? If not, any suggestions on a course of action?
I should say that "doing this" means "crontab -l". Or am I
wrong?
Yes, it looks like someone, acting as root typed "crontab -l nobody".
Whether that's "normal" in your situation is not something others can
determine for you (are you the only one with legitimate "root" access
on this system?), but it certainly would be "normal" on systems I
manage, especially for "software accounts" that do have cron jobs, where
I might want to check details.
I hope that helps ...
Hi Sylvain,
Thanks for your response. I don't mean to be thick, but I still don't
really see what the bottom line is. I am the only human that should
have root access to my computer. Are there programs or cron jobs that
might do this sort of thing automatically? If so, how do you check?
If not, then please clarify that this is indeed an indication of a
break-in.
--
% Randy Yates % "So now it's getting late,
%% Fuquay-Varina, NC % and those who hesitate
%%% 919-577-9882 % got no one..."
%%%% <yates@xxxxxxxx> % 'Waterfall', *Face The Music*, ELO
http://home.earthlink.net/~yatescr
.
- Follow-Ups:
- Re: suspicious cron log entry
- From: Sylvain Robitaille
- Re: suspicious cron log entry
- References:
- suspicious cron log entry
- From: Randy Yates
- Re: suspicious cron log entry
- From: Randy Yates
- Re: suspicious cron log entry
- From: Sylvain Robitaille
- suspicious cron log entry
- Prev by Date: Re: Security Distributions
- Next by Date: Re: suspicious cron log entry
- Previous by thread: Re: suspicious cron log entry
- Next by thread: Re: suspicious cron log entry
- Index(es):
Relevant Pages
|
