?
Solved

CRON Appears to Start Itself!

Posted on 2002-04-17
7
Medium Priority
?
297 Views
Last Modified: 2013-12-06
Background:
The system is an HP 715 running under HP-UX 10.20. The CRON in question is run via an account created specially for this purpose. In other words, I don't run, or have access to, it under root.

Several times now, I have found crontabs running that I had disabled via crontab -r and verified were down with crontab -l. This is odd, to say the least.

Question:
Is there some kind of bug/glitch in the OS that would cause/allow this to happen, or should I start suspecting that someone is hacking in for a bit of fun?
0
Comment
Question by:pdouglas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 3

Expert Comment

by:elfie
ID: 6948009
Is it possible that the crontab entries are being re-created?

You must verify the crontab files in the crontab directory. Check for the modification time of this file (and directory).

Also take a look a possible schedules 'at' jobs.
0
 

Expert Comment

by:cjwong
ID: 6952752
Confirm if other accounts have no similiar cron running?

If you suspect that there are "hackers" in, check on the modification date of the files, sulog files,etc to see if there is any unexpected intruders.
0
 

Author Comment

by:pdouglas
ID: 6953217
Other accounts do have access to CRON, but not the particular crontab in question.

The modification date of the crontab is as it should be.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 3

Expert Comment

by:elfie
ID: 6953280
did you check the file also for 'latest access and creation' time?

check with "ls -lc", "ls -lu', and normal "ls -l".

If you delete the crontab file, then you can verify when the file was last read/accessed/created-modified.

This way you can see of the file has been restored from backup, recreated, and at which time.

How often is the file being 're-created'? Does this occur every day/week/months?

0
 

Author Comment

by:pdouglas
ID: 6954005
If by "created" you mean activated with the crontab <filename> command, then this is done once every several months. I'm not seeing from ls commands where the crontab was accessed on the days that I found it running after having deactivated it, so I guess this rules out hacking.
0
 
LVL 3

Accepted Solution

by:
elfie earned 600 total points
ID: 6954036
When you execute  crontab -r, is the crontab file emptied, or completely removed from the system?
If it is completely removed from the system, you should monitor it when it re-appears.

I have never heard before of crontab's reappearing. When executing crontab -r, the files are removed. So crontab can only be re-enabled by recreating the files. Once the files are in crontabs directory they will get executed on the time include in the file.

So if crontab were re-executed, someone must have put them back on the original place. If you suspect no hackers, then mostlikely it will be a restore from backup. (my guess)
0
 

Author Comment

by:pdouglas
ID: 6954278
When I issue a crontab -r command, this does not remove it from the system, but rather stops it from being executed.
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In tuning file systems on the Solaris Operating System, changing some parameters of a file system usually destroys the data on it. For instance, changing the cache segment block size in the volume of a T3 requires that you delete the existing volu…
My previous tech tip, Installing the Solaris OS From the Flash Archive On a Tape (http://www.experts-exchange.com/articles/OS/Unix/Solaris/Installing-the-Solaris-OS-From-the-Flash-Archive-on-a-Tape.html), discussed installing the Solaris Operating S…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question