Strange Behavior With Cron

Home » CentOS » Strange Behavior With Cron
CentOS 2 Comments

Do somebody had this situation where an Email is sent every minutes to a specific user named michel. These emails are incoming from: Root with an header like: Cron ~/.h5siP >/dev/null
2>/dev/null;
and a text message as: /bin/sh: no: command not found

There is a cron task named h5siP in the path of this user; he is the only one affected by this situation. I found that this script have a relation with an other one named as R5Agz

If I remove the cron job h5siP from the cron listing and I restart cron the script is back a few minutes later.
.h5siP-p and .R5Agz-p are located in dev/shm/ and both contain a process number as 23374 and 35678
.R5Agz and .h5siP can be found in a user named michel repertory wich the one who receive a lot of emails
.h5siP is also located in /temp

The only changes we made to our system was yesterday. We made an automatic yum updte of three programs ; java 1.6. kpartx and device-mapper-multipath. I don’t know if there is a relation or do I face a kind of virus?

I hope somebody can help

2 thoughts on - Strange Behavior With Cron

  • Did this user intentionally set up something that automatically recreates cronjobs?

    If a person was to guess blindly, they might suspect that a nefarious person has compromised your server and set a cronjob. Without knowing more about your set up and how you have protected your servers (if SSH is open to the world, has SSH been brute forced, who has last logged in, etc), it will be tough to give good answers.

    Years ago, I found remnants of cronjobs in /var/spool/cron/ on a shared web server that was compromised (and subsequently cleaned up). By the sounds of it, those files are user cronjobs which will be in the cron spool.

    For starters, you need to find out what those cronjobs are doing — that will indicate the urgency. Use strace to connect to those processes. strace -p

    And from there, determine what is creating that file. You would think that whatever it is, would routinely check for the file to exist and you could catch it by grepping the output from lsof.

  • No, he cannot do such a task. Yesterday, our business was closed; so no body there. This morning we found at 7:30 am we found 826 emails in his mailbox. For one a minute this process was started around 13.76 hours sooner wich mean this process was created round 17:45 monday at the end of the afternoon.

    Strange situation