suspicious cron log entry - Security

This is a discussion on suspicious cron log entry - Security ; Aug 25 22:55:39 localhost /usr/bin/crontab[1763]: (root) LIST (nobody) Is this normal? If so, can someone please explain who/what is doing this? If not, any suggestions on a course of action? -- % Randy Yates % "How's life on earth? %% ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: suspicious cron log entry

  1. suspicious cron log entry

    Aug 25 22:55:39 localhost /usr/bin/crontab[1763]: (root) LIST (nobody)

    Is this normal? If so, can someone please explain who/what is
    doing this? If not, any suggestions on a course of action?
    --
    % Randy Yates % "How's life on earth?
    %% Fuquay-Varina, NC % ... What is it worth?"
    %%% 919-577-9882 % 'Mission (A World Record)',
    %%%% % *A New World Record*, ELO
    http://home.earthlink.net/~yatescr

  2. Re: suspicious cron log entry

    Randy Yates writes:

    > Aug 25 22:55:39 localhost /usr/bin/crontab[1763]: (root) LIST (nobody)
    >
    > Is this normal? If so, can someone please explain who/what is
    > doing this? If not, any suggestions on a course of action?


    I should say that "doing this" means "crontab -l". Or am I
    wrong?
    --
    % Randy Yates % "With time with what you've learned,
    %% Fuquay-Varina, NC % they'll kiss the ground you walk
    %%% 919-577-9882 % upon."
    %%%% % '21st Century Man', *Time*, ELO
    http://home.earthlink.net/~yatescr

  3. Re: suspicious cron log entry

    Randy Yates wrote:

    >> Aug 25 22:55:39 localhost /usr/bin/crontab[1763]: (root) LIST (nobody)
    >>
    >> Is this normal? If so, can someone please explain who/what is
    >> doing this? If not, any suggestions on a course of action?

    >
    > I should say that "doing this" means "crontab -l". Or am I
    > wrong?


    Yes, it looks like someone, acting as root typed "crontab -l nobody".
    Whether that's "normal" in your situation is not something others can
    determine for you (are you the only one with legitimate "root" access
    on this system?), but it certainly would be "normal" on systems I
    manage, especially for "software accounts" that do have cron jobs, where
    I might want to check details.

    I hope that helps ...

    --
    ----------------------------------------------------------------------
    Sylvain Robitaille syl@alcor.concordia.ca

    Systems and Network analyst Concordia University
    Instructional & Information Technology Montreal, Quebec, Canada
    ----------------------------------------------------------------------

  4. Re: suspicious cron log entry

    Sylvain Robitaille writes:

    > Randy Yates wrote:
    >
    >>> Aug 25 22:55:39 localhost /usr/bin/crontab[1763]: (root) LIST (nobody)
    >>>
    >>> Is this normal? If so, can someone please explain who/what is
    >>> doing this? If not, any suggestions on a course of action?

    >>
    >> I should say that "doing this" means "crontab -l". Or am I
    >> wrong?

    >
    > Yes, it looks like someone, acting as root typed "crontab -l nobody".
    > Whether that's "normal" in your situation is not something others can
    > determine for you (are you the only one with legitimate "root" access
    > on this system?), but it certainly would be "normal" on systems I
    > manage, especially for "software accounts" that do have cron jobs, where
    > I might want to check details.
    >
    > I hope that helps ...


    Hi Sylvain,

    Thanks for your response. I don't mean to be thick, but I still don't
    really see what the bottom line is. I am the only human that should
    have root access to my computer. Are there programs or cron jobs that
    might do this sort of thing automatically? If so, how do you check?

    If not, then please clarify that this is indeed an indication of a
    break-in.
    --
    % Randy Yates % "So now it's getting late,
    %% Fuquay-Varina, NC % and those who hesitate
    %%% 919-577-9882 % got no one..."
    %%%% % 'Waterfall', *Face The Music*, ELO
    http://home.earthlink.net/~yatescr

  5. Re: suspicious cron log entry

    Randy Yates wrote:

    > Thanks for your response. I don't mean to be thick, but I still don't
    > really see what the bottom line is. I am the only human that should
    > have root access to my computer.


    Then I would conclude that at Aug 25 22:55:39, as root, you typed
    "crontab -l nobody" (or perhaps as your own user you used sudo to issue
    the same command?) Think back carefully. Examine root's command
    history file (.history, or perhaps .bash_history) for reminders.
    Examine your own history file as well.

    > Are there programs or cron jobs that might do this sort of thing
    > automatically? If so, how do you check?


    I highly doubt it. You could grep through crontabs and /etc/cron.*, but
    I'd be surprised if you found anything there that would cause a crontab
    listing for user nobody.

    > If not, then please clarify that this is indeed an indication of a
    > break-in.


    As I said in my earlier message,

    Whether that's "normal" in your situation is not something others can
    determine for you ...

    I suppose the question to begin with, is what is causing you to suspect
    this particular log line? Or perhaps more to the point, what leads you
    to believe that your system may have been compromised in the first
    place?

    --
    ----------------------------------------------------------------------
    Sylvain Robitaille syl@alcor.concordia.ca

    Systems and Network analyst Concordia University
    Instructional & Information Technology Montreal, Quebec, Canada
    ----------------------------------------------------------------------

  6. Re: suspicious cron log entry

    Sylvain Robitaille writes:

    > Randy Yates wrote:
    >
    >> Thanks for your response. I don't mean to be thick, but I still don't
    >> really see what the bottom line is. I am the only human that should
    >> have root access to my computer.

    >
    > Then I would conclude that at Aug 25 22:55:39, as root, you typed
    > "crontab -l nobody" (or perhaps as your own user you used sudo to issue
    > the same command?) Think back carefully. Examine root's command
    > history file (.history, or perhaps .bash_history) for reminders.
    > Examine your own history file as well.


    It wasn't me. I didn't even know there was a -l option until I saw
    this entry in the log and read up on the crontab man page.

    >> Are there programs or cron jobs that might do this sort of thing
    >> automatically? If so, how do you check?

    >
    > I highly doubt it. You could grep through crontabs and /etc/cron.*, but
    > I'd be surprised if you found anything there that would cause a crontab
    > listing for user nobody.


    OK.

    >> If not, then please clarify that this is indeed an indication of a
    >> break-in.

    >
    > As I said in my earlier message,
    >
    > Whether that's "normal" in your situation is not something others can
    > determine for you ...


    I don't believe that's true. If I asked you to help me determine
    what's wrong with my car, couldn't you do it through a series of
    queries and responses? Granted I'd have to do the work of checking
    what you ask me to check, but in this case, assuming it's fairly
    trivial, I'd gladly do that.

    > I suppose the question to begin with, is what is causing you to suspect
    > this particular log line?


    Because I didn't type it, I've never noticed them before in my logs,
    and no system process that I know of executes this type of command.

    > Or perhaps more to the point, what leads you to believe that your
    > system may have been compromised in the first place?


    Because I see a suspicious line in my log.

    Sylvain, I'm halfway to thinking you're pulling my leg, your comments
    and questions are so circular. Forgive me if I misread you.
    --
    % Randy Yates % "Midnight, on the water...
    %% Fuquay-Varina, NC % I saw... the ocean's daughter."
    %%% 919-577-9882 % 'Can't Get It Out Of My Head'
    %%%% % *El Dorado*, Electric Light Orchestra
    http://home.earthlink.net/~yatescr

  7. Re: suspicious cron log entry

    > Whether that's "normal" in your situation is not something others can
    > determine for you ...


    Truly, limited understanding of the situation hinders any ability to
    make an accurate response. You have provided very generic information
    from which to go off of and in such a small quantity that there could
    be many correct responses.

    There are tools, which I know almost nothing about, that will change
    the default nature of crontab. It's possible to use a webtool on a
    setup that uses SmoothWall...the mod changes the ownership of crontab
    to nobody so the browser-based application can access the crontab.
    Similar article here...

    http://community.smoothwall.org/foru...d0123a8adba9e3

    At this point I would be more concerned with fundamental security than
    with crontab paranoia. Do you have security hardening tools installed
    and configured on your system, such as bastille and/or selinux? Do you
    opt in your computer usage to stay away from insecure protocols and
    unencrypted traffic? Have you employed tripwire and logcheck to help
    you manage what's going on on your system?

    Good luck figuring out your problem.

    ~~.


  8. Re: suspicious cron log entry

    Randy Yates wrote:

    > It wasn't me. ...


    Did you verify that in the history files?

    If you run "crontab -l" as user "randy" do you find a similar log line
    that shows in fact that "randy" ran "crontab -l" for "randy"? (or does
    it also show that "root" ran "crontab -l" for "randy"?)

    >> Whether that's "normal" in your situation is not something others
    >> can determine for you ...

    >
    > I don't believe that's true. ...


    You'd have to post a lot more detail about your system and its
    configuration for it not to be, I'm afraid. Even then, keep in mind
    that you know your system and how you use it better than anyone else.
    If you don't, you certainly do have a problem.

    > If I asked you to help me determine what's wrong with my car, couldn't
    > you do it through a series of queries and responses?


    Right, and that would start with "make, model, year, any powertrain
    options" and probably a few more details. Assuming I knew enough about
    (at least that model of) cars to guide you on that matter, the above
    alone would give me a baseline of knowledge about your car and its
    default "configuration" (which I assume you would think to tell me if
    you modified).

    You've given us the equivalent of "my car makes a sound I've never heard
    before. Is that normal?" If you *had* asked that question, the best
    answer I could give you is still the above.

    > Granted I'd have to do the work of checking what you ask me to check,
    > but in this case, assuming it's fairly trivial, I'd gladly do that.


    I would start by trying to identify what specifically caused that log
    line to be produced. Are there others like it? (ie, can you find a
    pattern in the timing) Do other logs show anything interesting at
    around (or slightly earlier than) the same time?

    >> what is causing you to suspect this particular log line?

    >
    > Because I didn't type it,


    Did you do anything else that might have caused the command to be run on
    your behalf? (some sort of GUI interface to crontab, perhaps?)

    > I've never noticed them before in my logs,


    Can you grep your logs to confirm that there are no other occurances?

    > and no system process that I know of executes this type of command.


    agreed, given "system process" to mean "automated jobs installed with
    the default OS installation". Perhaps you ran "make install" to install
    a package that adds to "nobody"s crontab if the entry it's adding doesn't
    already exist (it's a long shot, but the point is that you should consider
    what was going on on the system at the time, and see if there's anything
    at all that might have had that as a side-effect).

    >> ... more to the point, what leads you to believe that your
    >> system may have been compromised in the first place?

    >
    > Because I see a suspicious line in my log.


    Just the one line, or are you seeing other evidence which, in context,
    causes this line to stick out as suspicious?

    > Sylvain, I'm halfway to thinking you're pulling my leg, your comments
    > and questions are so circular. Forgive me if I misread you.


    No leg pulling intended. I'm honestly trying to get a sense of what is
    causing you to consider this log line to be suspicious.

    --
    ----------------------------------------------------------------------
    Sylvain Robitaille syl@alcor.concordia.ca

    Systems and Network analyst Concordia University
    Instructional & Information Technology Montreal, Quebec, Canada
    ----------------------------------------------------------------------

  9. Re: suspicious cron log entry

    Hi,

    I had the same "problem" and got quite mad. I thought there is a
    hacker on my machine. But no...

    > Aug 25 22:55:39 localhost /usr/bin/crontab[1763]: (root) LIST (nobody)


    The chkrootkit program causes this entry.

    Would be nice if anyone can confirm this.

    Bye





  10. Re: suspicious cron log entry

    On Tue, 18 Sep 2007, in the Usenet newsgroup comp.os.linux.security, in article
    <1190149765.193810.72450@50g2000hsm.googlegroups.co m>, hans4002@yahoo.com wrote:

    NOTE: Posting from groups.google.com (or some web-forums) dramatically
    reduces the chance of your post being seen. Find a real news server.

    >I had the same "problem" and got quite mad. I thought there is a
    >hacker on my machine. But no...
    >
    >> Aug 25 22:55:39 localhost /usr/bin/crontab[1763]: (root) LIST (nobody)

    >
    >The chkrootkit program causes this entry.


    Wonderful 'windoze-wannabe' application which like the similar
    'rkhunter' is a waste of CPU cycles. I don't believe I've ever seen
    someone actually report finding a root kit using either tool, but the
    archives are full of reports of both 'tools' showing false alarms.
    Both are trivial for a mal-ware author to defeat.

    >Would be nice if anyone can confirm this.


    Both 'chkrootkit' and 'rkhunter' are large shell scripts, with some
    (generally poor) documentation. Find the chkrootkit script and look
    at roughly line 1596 (assumes version 0.47 from October 2006) and find
    the function 'chk_crontab'.

    Of course the other way to confirm this is to look at your logs. Do you
    see this entry? Now, run the application, and look again in the logs.
    Do you see the entry now?

    Old guy

+ Reply to Thread