LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Desktop
User Name
Password
Linux - Desktop This forum is for the discussion of all Linux Software used in a desktop context.

Notices

Reply
 
Search this Thread
Old 10-24-2012, 09:39 PM   #1
ham bone
LQ Newbie
 
Registered: Jul 2012
Location: Wisc
Distribution: Arch Linux dual boot with Vista
Posts: 28
Blog Entries: 1

Rep: Reputation: Disabled
Are new & unexpected cron messages at boot time a security issue?


Good evening, everyone!
I've never used a login manager to boot my 'Arch Linux' installation. Therefore, I type xinit to boot into gnome3 or xfce4. Immediately after updating my Arch Linux installation to kernel 3.6.2-1, I started receiving the following messages after booting to 'run level 3:' Crond[758] FILE /var/spool/cron/root USER rooot 777 job sys-hourly
Crond[758] FILE /var/spool/cron/root USER rooot 778 job sys-hourly.

Is this a security concern??

I checked some cron folders:

[root@archbox ham-bone]# ls /etc/cron.daily/
logrotate man-db shadow

[root@archbox ham-bone]# ls /etc/cron.weekly
chkrootkit

I have no experience with cron, so help would be greatly appreciated.
Thanks in advance

Last edited by ham bone; 10-24-2012 at 11:11 PM.
 
Old 10-25-2012, 02:58 PM   #2
Rupadhya
Member
 
Registered: Sep 2012
Location: Hoffman Estates, IL
Distribution: Fedora 20
Posts: 167

Rep: Reputation: Disabled
Just for curiosity sake, could you execute
Code:
crontab -l
Under your root login?

Did you install chkrootkit? If not, you might want to disable it.

- Raj
 
Old 10-25-2012, 03:07 PM   #3
Rupadhya
Member
 
Registered: Sep 2012
Location: Hoffman Estates, IL
Distribution: Fedora 20
Posts: 167

Rep: Reputation: Disabled
To help you debug this issue I installed chkrootkit from Fedora's repositories. Here is the output of running it from
root's command prompt.
Code:
# chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not found
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... 
/usr/lib/.libcrypto.so.1.0.0j.hmac /usr/lib/.libgcrypt.so.11.hmac /usr/lib/.libcrypto.so.10.hmac /usr/lib/.libssl.so.10.hmac /usr/lib/debug/.build-id /usr/lib/.libssl.so.1.0.0j.hmac /usr/lib/ocf/resource.d/heartbeat/.ocf-returncodes /usr/lib/ocf/resource.d/heartbeat/.ocf-binaries /usr/lib/ocf/resource.d/heartbeat/.ocf-shellfuncs /usr/lib/ocf/resource.d/heartbeat/.ocf-directories
/usr/lib/debug/.build-id
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: PF_PACKET(/usr/sbin/dhclient)
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... user root deleted or never logged from lastlog!
Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root          917 tty1   /usr/bin/Xorg :0 -background none -logverbose 7 -auth /var/run/gdm/auth-for-gdm-iK0TkO/database -seat seat0 -nolisten tcp vt1
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected
Did you install chkrootkit? Does it set up some kind of weekly cron job on your machine? I don't see it here.

- Raj
 
1 members found this post helpful.
Old 10-25-2012, 03:32 PM   #4
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 11.4
Posts: 1,319

Rep: Reputation: 252Reputation: 252Reputation: 252
You mean you get emails – or were they just printed on screen?
 
Old 10-25-2012, 08:28 PM   #5
Rupadhya
Member
 
Registered: Sep 2012
Location: Hoffman Estates, IL
Distribution: Fedora 20
Posts: 167

Rep: Reputation: Disabled
Quote:
You mean you get emails – or were they just printed on screen?
If chkrootkit is in your root's crontab, then you will get an email of the output sent to your root's mailbox.

Is that what you mean?

- Raj
 
Old 10-26-2012, 06:09 AM   #6
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 11.4
Posts: 1,319

Rep: Reputation: 252Reputation: 252Reputation: 252
/etc/crontab which might start the scripts in /etc/cron.weekly and alike is no root’s crontab. Root can have its own crontabs like any other user can have too (edited by crontab -e).

But yes: if the cron is set up to send mails (which is in fact the default, you have to have an entry in the crontab to supppress it), then you get an email with the output of the started tasks.

Please see also man crontab:
Quote:
…, any output is mailed to the owner of the crontab (or to the user named in the MAILTO environment variable in the crontab, if such exists).

There will also be entries in /var/log/messages (or /var/log/cron) from cron itself, to reflect what was started.
 
1 members found this post helpful.
Old 10-27-2012, 12:48 PM   #7
ham bone
LQ Newbie
 
Registered: Jul 2012
Location: Wisc
Distribution: Arch Linux dual boot with Vista
Posts: 28
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Rupadhya View Post
Just for curiosity sake, could you execute
Code:
crontab -l
Under your root login?

Did you install chkrootkit? If not, you might want to disable it.

- Raj
1st, thanks for replying. I apologize for the delay in responding. I've been very busy this week.
2nd, here is the results of crontab -l as root:

# SYSTEM DAILY/WEEKLY/... FOLDERS
@hourly ID=sys-hourly /usr/sbin/run-cron /etc/cron.hourly
@daily ID=sys-daily /usr/sbin/run-cron /etc/cron.daily
@weekly ID=sys-weekly /usr/sbin/run-cron /etc/cron.weekly
@monthly ID=sys-monthly /usr/sbin/run-cron /etc/cron.monthly
 
Old 10-27-2012, 12:53 PM   #8
ham bone
LQ Newbie
 
Registered: Jul 2012
Location: Wisc
Distribution: Arch Linux dual boot with Vista
Posts: 28
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Reuti View Post
/etc/crontab which might start the scripts in /etc/cron.weekly and alike is no root’s crontab. Root can have its own crontabs like any other user can have too (edited by crontab -e).

But yes: if the cron is set up to send mails (which is in fact the default, you have to have an entry in the crontab to supppress it), then you get an email with the output of the started tasks.

Please see also man crontab:


There will also be entries in /var/log/messages (or /var/log/cron) from cron itself, to reflect what was started.
Strange? My /var/log/crond.log states: "unable to exec /usr/sbin/sendmail: cron output for user root job sys-weekly to /dev/null"
 
Old 10-27-2012, 01:02 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,999
Blog Entries: 54

Rep: Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745
Quote:
Originally Posted by ham bone View Post
here is the results of crontab -l as root:
# SYSTEM DAILY/WEEKLY/... FOLDERS
@hourly ID=sys-hourly /usr/sbin/run-cron /etc/cron.hourly
(..)
As Reuti said system cron commands should be in /etc/crontab, not the root users crontab.


Quote:
Originally Posted by ham bone View Post
Immediately after updating my Arch Linux installation to kernel 3.6.2-1, I started receiving the following messages after booting to 'run level 3:'
Crond[758] FILE /var/spool/cron/root USER rooot 777 job sys-hourly
Crond[758] FILE /var/spool/cron/root USER rooot 778 job sys-hourly.
Is this a security concern??
Unless you have an account called "rooot" (one "o" more or less may be easily overlooked ;-p) I can't see a reason why.
Looks like Syslog spitting out messages on stdout or stderr instead of one of the log files in /var/log.


Quote:
Originally Posted by ham bone View Post
I have no experience with cron
If your databases are up to date then 'apropos cron' should give you some pointers.
 
Old 10-27-2012, 01:04 PM   #10
ham bone
LQ Newbie
 
Registered: Jul 2012
Location: Wisc
Distribution: Arch Linux dual boot with Vista
Posts: 28
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
Rupadhya,
Thanks for the replies. I did run chkrootkit before posting and I ran it after reading your post. The output was identical to the output in your post. I doubt that the following is important, but when I run chkrootkit or anything as root, typically I open a terminal and then type "sudo -s." Then I run as root. In other words I almost never log into my root account.

Reuti,
Thanks for posting. I do not believe that my cron is setup to send email. I know that crond is backgrounded in my rc.conf. I also know that for Arch Linux under 3.6.2-1, several items have been deprecated modules and more. I think that all of the mesages are a result of that deprecation, but I did not see anything in "Arch Linux" news. See below:

Oct 21 21:09:26 localhost crond[5197]: unable to exec /usr/sbin/sendmail: cron output for user root job sys-weekly to /dev/null

See what I mean?
Many thanks to all that have responded, and I apologize for my delay in reporting back. I've just been busy. If all looks solved to you, please indicate so that I can continue or mark this thread as solved.

Thanks
Ham Bone

Last edited by ham bone; 10-27-2012 at 02:24 PM.
 
Old 10-27-2012, 03:24 PM   #11
speck
Member
 
Registered: Nov 2001
Location: California
Distribution: Slackware 14.1
Posts: 271

Rep: Reputation: 54
Quote:
Rupadhya,
Thanks for the replies. I did run chkrootkit before posting and I ran it after reading your post. The output was identical to the output in your post.
Are you sure, considering that the line below was listed in Rupadhya's output.

Code:
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
 
1 members found this post helpful.
Old 10-27-2012, 04:25 PM   #12
Rupadhya
Member
 
Registered: Sep 2012
Location: Hoffman Estates, IL
Distribution: Fedora 20
Posts: 167

Rep: Reputation: Disabled
I saw the message,
Quote:
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
and got a bit concerned. Was this to be my first virus in the Linux world? How did I get this? I did a www.google.com search and found that chkrootkit was reporting a false positive. I created a bugzilla to fix this but, and have not seen anything happen as of yet.

https://bugzilla.redhat.com/show_bug.cgi?id=636231

Regards,

Raj Upadhyaya
 
Old 10-27-2012, 05:31 PM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,999
Blog Entries: 54

Rep: Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745Reputation: 2745
Quote:
Originally Posted by Rupadhya View Post
have not seen anything happen as of yet.
That's because the bug report should be sent to the upstream developer, not Red Hat. And as shown by distro's patching the hell out of it Chkrootkit hasn't seen an update in ages. Attached a quick diff for just removing the check, which you could also do just by hand of course. As always YMMV(VM).
Attached Files
File Type: txt chkrootkit.diff.txt (922 Bytes, 0 views)

Last edited by unSpawn; 10-30-2012 at 03:50 PM. Reason: //Forgot must use legitimate extension ;-p
 
Old 10-28-2012, 04:23 PM   #14
ham bone
LQ Newbie
 
Registered: Jul 2012
Location: Wisc
Distribution: Arch Linux dual boot with Vista
Posts: 28
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
[B]Beautiful Catch! Thanks [/B]

Quote:
Originally Posted by speck View Post
Are you sure, considering that the line below was listed in Rupadhya's output.

Code:
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Thanks, Speck!
I did not noticed the word "INFECTED," so I ran chkrootkit again. I even searched using 'control + f' matching case. The result is still negative.

My 'Arch Linux' installation is the subject of this post. I booted into crunchbang Statler, which is on one of my USB drives, and then mounted my 'Arch Linux' installation. After mounting Arch, I ran clamscan and the Arch installation was clean.

Unless someone can tell me differently, I am going to consider this post closed. The whole reason for this post is that when I boot into run level 3 (no log on manager installed) I get a message from crond as described in my original post.
 
Old 10-28-2012, 04:31 PM   #15
ham bone
LQ Newbie
 
Registered: Jul 2012
Location: Wisc
Distribution: Arch Linux dual boot with Vista
Posts: 28
Blog Entries: 1

Original Poster
Rep: Reputation: Disabled
By the way, I ran "man crontab." The problem with man pages is that they help or they seem so removed from the problem at hand. In this case, the latter prevailed. I guess seeing the following messages after booting to 'run level 3:' "Crond[758] FILE /var/spool/cron/root USER rooot 777 job sys-hourly
Crond[758] FILE /var/spool/cron/root USER rooot 778 job sys-hourly" will be the norm. True?? This only happened after upgrading to kernel 3.6.2-1

Again thanks for all the replies.
Sincerely,
Hambone
 
  


Reply

Tags
/sbin/init infected, chkrootkit, suckit rootkit, systemd


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] how to log the messages at boot time entz Linux - Kernel 2 07-23-2011 05:35 PM
Time format in boot-time messages jonr Linux - Kernel 1 12-22-2006 12:31 PM
Debian & Windows dual boot, system time issue Vigacmoe Debian 8 08-31-2006 12:14 AM
Error messages at boot time ICO Slackware 3 01-30-2004 03:37 AM
boot time messages adam171771 Programming 3 05-10-2001 06:14 PM


All times are GMT -5. The time now is 09:35 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration