CRON Appears to Start Itself!

Posted on 2002-04-17
Medium Priority
Last Modified: 2013-12-06
The system is an HP 715 running under HP-UX 10.20. The CRON in question is run via an account created specially for this purpose. In other words, I don't run, or have access to, it under root.

Several times now, I have found crontabs running that I had disabled via crontab -r and verified were down with crontab -l. This is odd, to say the least.

Is there some kind of bug/glitch in the OS that would cause/allow this to happen, or should I start suspecting that someone is hacking in for a bit of fun?
Question by:pdouglas
  • 3
  • 3

Expert Comment

ID: 6948009
Is it possible that the crontab entries are being re-created?

You must verify the crontab files in the crontab directory. Check for the modification time of this file (and directory).

Also take a look a possible schedules 'at' jobs.

Expert Comment

ID: 6952752
Confirm if other accounts have no similiar cron running?

If you suspect that there are "hackers" in, check on the modification date of the files, sulog files,etc to see if there is any unexpected intruders.

Author Comment

ID: 6953217
Other accounts do have access to CRON, but not the particular crontab in question.

The modification date of the crontab is as it should be.
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.


Expert Comment

ID: 6953280
did you check the file also for 'latest access and creation' time?

check with "ls -lc", "ls -lu', and normal "ls -l".

If you delete the crontab file, then you can verify when the file was last read/accessed/created-modified.

This way you can see of the file has been restored from backup, recreated, and at which time.

How often is the file being 're-created'? Does this occur every day/week/months?


Author Comment

ID: 6954005
If by "created" you mean activated with the crontab <filename> command, then this is done once every several months. I'm not seeing from ls commands where the crontab was accessed on the days that I found it running after having deactivated it, so I guess this rules out hacking.

Accepted Solution

elfie earned 600 total points
ID: 6954036
When you execute  crontab -r, is the crontab file emptied, or completely removed from the system?
If it is completely removed from the system, you should monitor it when it re-appears.

I have never heard before of crontab's reappearing. When executing crontab -r, the files are removed. So crontab can only be re-enabled by recreating the files. Once the files are in crontabs directory they will get executed on the time include in the file.

So if crontab were re-executed, someone must have put them back on the original place. If you suspect no hackers, then mostlikely it will be a restore from backup. (my guess)

Author Comment

ID: 6954278
When I issue a crontab -r command, this does not remove it from the system, but rather stops it from being executed.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question