Re: suspicious cron log entry



Randy Yates wrote:

It wasn't me. ...

Did you verify that in the history files?

If you run "crontab -l" as user "randy" do you find a similar log line
that shows in fact that "randy" ran "crontab -l" for "randy"? (or does
it also show that "root" ran "crontab -l" for "randy"?)

Whether that's "normal" in your situation is not something others
can determine for you ...

I don't believe that's true. ...

You'd have to post a lot more detail about your system and its
configuration for it not to be, I'm afraid. Even then, keep in mind
that you know your system and how you use it better than anyone else.
If you don't, you certainly do have a problem.

If I asked you to help me determine what's wrong with my car, couldn't
you do it through a series of queries and responses?

Right, and that would start with "make, model, year, any powertrain
options" and probably a few more details. Assuming I knew enough about
(at least that model of) cars to guide you on that matter, the above
alone would give me a baseline of knowledge about your car and its
default "configuration" (which I assume you would think to tell me if
you modified).

You've given us the equivalent of "my car makes a sound I've never heard
before. Is that normal?" If you *had* asked that question, the best
answer I could give you is still the above.

Granted I'd have to do the work of checking what you ask me to check,
but in this case, assuming it's fairly trivial, I'd gladly do that.

I would start by trying to identify what specifically caused that log
line to be produced. Are there others like it? (ie, can you find a
pattern in the timing) Do other logs show anything interesting at
around (or slightly earlier than) the same time?

what is causing you to suspect this particular log line?

Because I didn't type it,

Did you do anything else that might have caused the command to be run on
your behalf? (some sort of GUI interface to crontab, perhaps?)

I've never noticed them before in my logs,

Can you grep your logs to confirm that there are no other occurances?

and no system process that I know of executes this type of command.

agreed, given "system process" to mean "automated jobs installed with
the default OS installation". Perhaps you ran "make install" to install
a package that adds to "nobody"s crontab if the entry it's adding doesn't
already exist (it's a long shot, but the point is that you should consider
what was going on on the system at the time, and see if there's anything
at all that might have had that as a side-effect).

... more to the point, what leads you to believe that your
system may have been compromised in the first place?

Because I see a suspicious line in my log.

Just the one line, or are you seeing other evidence which, in context,
causes this line to stick out as suspicious?

Sylvain, I'm halfway to thinking you're pulling my leg, your comments
and questions are so circular. Forgive me if I misread you.

No leg pulling intended. I'm honestly trying to get a sense of what is
causing you to consider this log line to be suspicious.

--
----------------------------------------------------------------------
Sylvain Robitaille syl@xxxxxxxxxxxxxxxxxx

Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------
.



Relevant Pages

  • Re: Camera Card Reader
    ... the OEM will install XP at extra cost. ... I would say two things: 1) there ARE cases where Windows gets so tangled up that a reboot is the only reasonable cure and 2) you don't need to do that on a weekly or monthly basis with a car. ... I also know that the people doing this sort of thing actually view electronics not as a cost, but as a cost SAVINGS because it is FAR cheaper to tweak a computer chip to, say, provide emissions support for a different state or country, than it is to completely redo the entire fuel-air system. ... If our SKIM or those of other makers could be easily and routinely overcome by beaming EMF energy at either the key fob itself or the engine compartment where the hidden receiver and computer are, doncha think the car companies would find out and fix it? ...
    (rec.photo.digital)
  • Re: Camera Card Reader
    ... the OEM will install XP at extra cost. ... do that on a weekly or monthly basis with a car. ... Key Immobilizer Module) in each key fob, ...
    (rec.photo.digital)
  • Re: Tow car recommendations.
    ... install the brake system in it. ... Tow Brake and wanted it installed. ... but I've been using my Festiva as a work car too. ...
    (rec.outdoors.rv-travel)
  • Re: Installing air conditioner in 2003 Corolla
    ... originally purchased this car without an air conditioner. ... something I can do myself or do I need to pay someone to install it? ... you get a 2006 kit which would fit. ... I do not recommend attempting to install an air conditioner yourself. ...
    (alt.autos.toyota)
  • Re: Astro-Jet Pulse Amplifier Scam?
    ... under the hood of his car with a exposed spark plug so you coud see the ... the speed to 55 MPH and then install the device in series with the coil ... which increased the speed to 65MPH indicating the car was moving 10 MPH ...
    (sci.electronics.basics)