Re: suspicious cron log entry



Randy Yates wrote:

Thanks for your response. I don't mean to be thick, but I still don't
really see what the bottom line is. I am the only human that should
have root access to my computer.

Then I would conclude that at Aug 25 22:55:39, as root, you typed
"crontab -l nobody" (or perhaps as your own user you used sudo to issue
the same command?) Think back carefully. Examine root's command
history file (.history, or perhaps .bash_history) for reminders.
Examine your own history file as well.

Are there programs or cron jobs that might do this sort of thing
automatically? If so, how do you check?

I highly doubt it. You could grep through crontabs and /etc/cron.*, but
I'd be surprised if you found anything there that would cause a crontab
listing for user nobody.

If not, then please clarify that this is indeed an indication of a
break-in.

As I said in my earlier message,

Whether that's "normal" in your situation is not something others can
determine for you ...

I suppose the question to begin with, is what is causing you to suspect
this particular log line? Or perhaps more to the point, what leads you
to believe that your system may have been compromised in the first
place?

--
----------------------------------------------------------------------
Sylvain Robitaille syl@xxxxxxxxxxxxxxxxxx

Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------
.