Re: suspicious cron log entry



Sylvain Robitaille <syl@xxxxxxxxxxxxxxxxxx> writes:

Randy Yates wrote:

Thanks for your response. I don't mean to be thick, but I still don't
really see what the bottom line is. I am the only human that should
have root access to my computer.

Then I would conclude that at Aug 25 22:55:39, as root, you typed
"crontab -l nobody" (or perhaps as your own user you used sudo to issue
the same command?) Think back carefully. Examine root's command
history file (.history, or perhaps .bash_history) for reminders.
Examine your own history file as well.

It wasn't me. I didn't even know there was a -l option until I saw
this entry in the log and read up on the crontab man page.

Are there programs or cron jobs that might do this sort of thing
automatically? If so, how do you check?

I highly doubt it. You could grep through crontabs and /etc/cron.*, but
I'd be surprised if you found anything there that would cause a crontab
listing for user nobody.

OK.

If not, then please clarify that this is indeed an indication of a
break-in.

As I said in my earlier message,

Whether that's "normal" in your situation is not something others can
determine for you ...

I don't believe that's true. If I asked you to help me determine
what's wrong with my car, couldn't you do it through a series of
queries and responses? Granted I'd have to do the work of checking
what you ask me to check, but in this case, assuming it's fairly
trivial, I'd gladly do that.

I suppose the question to begin with, is what is causing you to suspect
this particular log line?

Because I didn't type it, I've never noticed them before in my logs,
and no system process that I know of executes this type of command.

Or perhaps more to the point, what leads you to believe that your
system may have been compromised in the first place?

Because I see a suspicious line in my log.

Sylvain, I'm halfway to thinking you're pulling my leg, your comments
and questions are so circular. Forgive me if I misread you.
--
% Randy Yates % "Midnight, on the water...
%% Fuquay-Varina, NC % I saw... the ocean's daughter."
%%% 919-577-9882 % 'Can't Get It Out Of My Head'
%%%% <yates@xxxxxxxx> % *El Dorado*, Electric Light Orchestra
http://home.earthlink.net/~yatescr
.