Re: suspicious cron log entry



Randy Yates wrote:

It wasn't me. ...

Did you verify that in the history files?

If you run "crontab -l" as user "randy" do you find a similar log line
that shows in fact that "randy" ran "crontab -l" for "randy"? (or does
it also show that "root" ran "crontab -l" for "randy"?)

Whether that's "normal" in your situation is not something others
can determine for you ...

I don't believe that's true. ...

You'd have to post a lot more detail about your system and its
configuration for it not to be, I'm afraid. Even then, keep in mind
that you know your system and how you use it better than anyone else.
If you don't, you certainly do have a problem.

If I asked you to help me determine what's wrong with my car, couldn't
you do it through a series of queries and responses?

Right, and that would start with "make, model, year, any powertrain
options" and probably a few more details. Assuming I knew enough about
(at least that model of) cars to guide you on that matter, the above
alone would give me a baseline of knowledge about your car and its
default "configuration" (which I assume you would think to tell me if
you modified).

You've given us the equivalent of "my car makes a sound I've never heard
before. Is that normal?" If you *had* asked that question, the best
answer I could give you is still the above.

Granted I'd have to do the work of checking what you ask me to check,
but in this case, assuming it's fairly trivial, I'd gladly do that.

I would start by trying to identify what specifically caused that log
line to be produced. Are there others like it? (ie, can you find a
pattern in the timing) Do other logs show anything interesting at
around (or slightly earlier than) the same time?

what is causing you to suspect this particular log line?

Because I didn't type it,

Did you do anything else that might have caused the command to be run on
your behalf? (some sort of GUI interface to crontab, perhaps?)

I've never noticed them before in my logs,

Can you grep your logs to confirm that there are no other occurances?

and no system process that I know of executes this type of command.

agreed, given "system process" to mean "automated jobs installed with
the default OS installation". Perhaps you ran "make install" to install
a package that adds to "nobody"s crontab if the entry it's adding doesn't
already exist (it's a long shot, but the point is that you should consider
what was going on on the system at the time, and see if there's anything
at all that might have had that as a side-effect).

... more to the point, what leads you to believe that your
system may have been compromised in the first place?

Because I see a suspicious line in my log.

Just the one line, or are you seeing other evidence which, in context,
causes this line to stick out as suspicious?

Sylvain, I'm halfway to thinking you're pulling my leg, your comments
and questions are so circular. Forgive me if I misread you.

No leg pulling intended. I'm honestly trying to get a sense of what is
causing you to consider this log line to be suspicious.

--
----------------------------------------------------------------------
Sylvain Robitaille syl@xxxxxxxxxxxxxxxxxx

Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------
.