Are new & unexpected cron messages at boot time a security issue?
Linux - DesktopThis forum is for the discussion of all Linux Software used in a desktop context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Are new & unexpected cron messages at boot time a security issue?
Good evening, everyone!
I've never used a login manager to boot my 'Arch Linux' installation. Therefore, I type xinit to boot into gnome3 or xfce4. Immediately after updating my Arch Linux installation to kernel 3.6.2-1, I started receiving the following messages after booting to 'run level 3:' Crond[758] FILE /var/spool/cron/root USER rooot 777 job sys-hourly
Crond[758] FILE /var/spool/cron/root USER rooot 778 job sys-hourly.
Is this a security concern??
I checked some cron folders:
[root@archbox ham-bone]# ls /etc/cron.daily/
logrotate man-db shadow
[root@archbox ham-bone]# ls /etc/cron.weekly
chkrootkit
I have no experience with cron, so help would be greatly appreciated.
Thanks in advance
To help you debug this issue I installed chkrootkit from Fedora's repositories. Here is the output of running it from
root's command prompt.
Code:
# chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not found
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/.libcrypto.so.1.0.0j.hmac /usr/lib/.libgcrypt.so.11.hmac /usr/lib/.libcrypto.so.10.hmac /usr/lib/.libssl.so.10.hmac /usr/lib/debug/.build-id /usr/lib/.libssl.so.1.0.0j.hmac /usr/lib/ocf/resource.d/heartbeat/.ocf-returncodes /usr/lib/ocf/resource.d/heartbeat/.ocf-binaries /usr/lib/ocf/resource.d/heartbeat/.ocf-shellfuncs /usr/lib/ocf/resource.d/heartbeat/.ocf-directories
/usr/lib/debug/.build-id
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: PF_PACKET(/usr/sbin/dhclient)
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... user root deleted or never logged from lastlog!
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 917 tty1 /usr/bin/Xorg :0 -background none -logverbose 7 -auth /var/run/gdm/auth-for-gdm-iK0TkO/database -seat seat0 -nolisten tcp vt1
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected
Did you install chkrootkit? Does it set up some kind of weekly cron job on your machine? I don't see it here.
/etc/crontab which might start the scripts in /etc/cron.weekly and alike is no root’s crontab. Root can have its own crontabs like any other user can have too (edited by crontab -e).
But yes: if the cron is set up to send mails (which is in fact the default, you have to have an entry in the crontab to supppress it), then you get an email with the output of the started tasks.
Please see also man crontab:
Quote:
…, any output is mailed to the owner of the crontab (or to the user named in the MAILTO environment variable in the crontab, if such exists).
There will also be entries in /var/log/messages (or /var/log/cron) from cron itself, to reflect what was started.
/etc/crontab which might start the scripts in /etc/cron.weekly and alike is no root’s crontab. Root can have its own crontabs like any other user can have too (edited by crontab -e).
But yes: if the cron is set up to send mails (which is in fact the default, you have to have an entry in the crontab to supppress it), then you get an email with the output of the started tasks.
Please see also man crontab:
There will also be entries in /var/log/messages (or /var/log/cron) from cron itself, to reflect what was started.
Strange? My /var/log/crond.log states: "unable to exec /usr/sbin/sendmail: cron output for user root job sys-weekly to /dev/null"
here is the results of crontab -l as root:
# SYSTEM DAILY/WEEKLY/... FOLDERS
@hourly ID=sys-hourly /usr/sbin/run-cron /etc/cron.hourly
(..)
As Reuti said system cron commands should be in /etc/crontab, not the root users crontab.
Quote:
Originally Posted by ham bone
Immediately after updating my Arch Linux installation to kernel 3.6.2-1, I started receiving the following messages after booting to 'run level 3:'
Crond[758] FILE /var/spool/cron/root USER rooot 777 job sys-hourly
Crond[758] FILE /var/spool/cron/root USER rooot 778 job sys-hourly.
Is this a security concern??
Unless you have an account called "rooot" (one "o" more or less may be easily overlooked ;-p) I can't see a reason why.
Looks like Syslog spitting out messages on stdout or stderr instead of one of the log files in /var/log.
Quote:
Originally Posted by ham bone
I have no experience with cron
If your databases are up to date then 'apropos cron' should give you some pointers.
Rupadhya,
Thanks for the replies. I did run chkrootkit before posting and I ran it after reading your post. The output was identical to the output in your post. I doubt that the following is important, but when I run chkrootkit or anything as root, typically I open a terminal and then type "sudo -s." Then I run as root. In other words I almost never log into my root account.
Reuti,
Thanks for posting. I do not believe that my cron is setup to send email. I know that crond is backgrounded in my rc.conf. I also know that for Arch Linux under 3.6.2-1, several items have been deprecated modules and more. I think that all of the mesages are a result of that deprecation, but I did not see anything in "Arch Linux" news. See below:
Oct 21 21:09:26 localhost crond[5197]: unable to exec /usr/sbin/sendmail: cron output for user root job sys-weekly to /dev/null
See what I mean?
Many thanks to all that have responded, and I apologize for my delay in reporting back. I've just been busy. If all looks solved to you, please indicate so that I can continue or mark this thread as solved.
Rupadhya,
Thanks for the replies. I did run chkrootkit before posting and I ran it after reading your post. The output was identical to the output in your post.
Are you sure, considering that the line below was listed in Rupadhya's output.
Code:
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
and got a bit concerned. Was this to be my first virus in the Linux world? How did I get this? I did a www.google.com search and found that chkrootkit was reporting a false positive. I created a bugzilla to fix this but, and have not seen anything happen as of yet.
That's because the bug report should be sent to the upstream developer, not Red Hat. And as shown by distro's patching the hell out of it Chkrootkit hasn't seen an update in ages. Attached a quick diff for just removing the check, which you could also do just by hand of course. As always YMMV(VM).
Last edited by unSpawn; 10-30-2012 at 03:50 PM.
Reason: //Forgot must use legitimate extension ;-p
Are you sure, considering that the line below was listed in Rupadhya's output.
Code:
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Thanks, Speck!
I did not noticed the word "INFECTED," so I ran chkrootkit again. I even searched using 'control + f' matching case. The result is still negative.
My 'Arch Linux' installation is the subject of this post. I booted into crunchbang Statler, which is on one of my USB drives, and then mounted my 'Arch Linux' installation. After mounting Arch, I ran clamscan and the Arch installation was clean.
Unless someone can tell me differently, I am going to consider this post closed. The whole reason for this post is that when I boot into run level 3 (no log on manager installed) I get a message from crond as described in my original post.
By the way, I ran "man crontab." The problem with man pages is that they help or they seem so removed from the problem at hand. In this case, the latter prevailed. I guess seeing the following messages after booting to 'run level 3:' "Crond[758] FILE /var/spool/cron/root USER rooot 777 job sys-hourly
Crond[758] FILE /var/spool/cron/root USER rooot 778 job sys-hourly" will be the norm. True?? This only happened after upgrading to kernel 3.6.2-1
Again thanks for all the replies.
Sincerely,
Hambone
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
