Solved

CRON Appears to Start Itself!

Posted on 2002-04-17
7
292 Views
Last Modified: 2013-12-06
Background:
The system is an HP 715 running under HP-UX 10.20. The CRON in question is run via an account created specially for this purpose. In other words, I don't run, or have access to, it under root.

Several times now, I have found crontabs running that I had disabled via crontab -r and verified were down with crontab -l. This is odd, to say the least.

Question:
Is there some kind of bug/glitch in the OS that would cause/allow this to happen, or should I start suspecting that someone is hacking in for a bit of fun?
0
Comment
Question by:pdouglas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 3

Expert Comment

by:elfie
ID: 6948009
Is it possible that the crontab entries are being re-created?

You must verify the crontab files in the crontab directory. Check for the modification time of this file (and directory).

Also take a look a possible schedules 'at' jobs.
0
 

Expert Comment

by:cjwong
ID: 6952752
Confirm if other accounts have no similiar cron running?

If you suspect that there are "hackers" in, check on the modification date of the files, sulog files,etc to see if there is any unexpected intruders.
0
 

Author Comment

by:pdouglas
ID: 6953217
Other accounts do have access to CRON, but not the particular crontab in question.

The modification date of the crontab is as it should be.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Expert Comment

by:elfie
ID: 6953280
did you check the file also for 'latest access and creation' time?

check with "ls -lc", "ls -lu', and normal "ls -l".

If you delete the crontab file, then you can verify when the file was last read/accessed/created-modified.

This way you can see of the file has been restored from backup, recreated, and at which time.

How often is the file being 're-created'? Does this occur every day/week/months?

0
 

Author Comment

by:pdouglas
ID: 6954005
If by "created" you mean activated with the crontab <filename> command, then this is done once every several months. I'm not seeing from ls commands where the crontab was accessed on the days that I found it running after having deactivated it, so I guess this rules out hacking.
0
 
LVL 3

Accepted Solution

by:
elfie earned 200 total points
ID: 6954036
When you execute  crontab -r, is the crontab file emptied, or completely removed from the system?
If it is completely removed from the system, you should monitor it when it re-appears.

I have never heard before of crontab's reappearing. When executing crontab -r, the files are removed. So crontab can only be re-enabled by recreating the files. Once the files are in crontabs directory they will get executed on the time include in the file.

So if crontab were re-executed, someone must have put them back on the original place. If you suspect no hackers, then mostlikely it will be a restore from backup. (my guess)
0
 

Author Comment

by:pdouglas
ID: 6954278
When I issue a crontab -r command, this does not remove it from the system, but rather stops it from being executed.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question