Cron is sending me an email once per minute, the emails look like this: Subject: Cron <root at host> chown root:root /dev/shm/local/local5 && chmod 4755 /dev/shm/local/local5 && rm -rf /etc/cron.d/core && kill -USR1 7140 Body: chown: cannot access `/dev/shm/local/local5': No such file or directory I've un-installed and reinstalled the vixie-cron packages, I have verified that they are not corrupted by using rpm --verify vixie-cron, I have checked all the crontabs on the system there aren't any running every minute. I don't understand why this is happening, anyone have any insight? Thanks, Matt
On Sat, 2006-09-02 at 16:25 -0400, Matthew T. O'Connor wrote:> /dev/shm/localI'd start viewing the /etc/cron* stuff to see if you can see anything there. And run something like this rpm -q --file /dev/shm/local to see if you can find the package with which they are associated. They're not on my machine, but I'm just a workstation here. HTH -- Bill
Matthew T. O'Connor wrote:> Cron is sending me an email once per minute, the emails look like this: > > Subject: > Cron <root at host> chown root:root /dev/shm/local/local5 && chmod 4755 > /dev/shm/local/local5 && rm -rf /etc/cron.d/core && kill -USR1 7140 > > Body: > chown: cannot access `/dev/shm/local/local5': No such file or directory > > I've un-installed and reinstalled the vixie-cron packages, I have > verified that they are not corrupted by using rpm --verify vixie-cron, I > have checked all the crontabs on the system there aren't any running > every minute. > > I don't understand why this is happening, anyone have any insight?As root, crontab -l -- Cheers John -- spambait 1aaaaaaa at coco.merseine.nu Z1aaaaaaa at coco.merseine.nu Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/ Please do not reply off-list
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Sep 02, 2006 at 04:25:34PM -0400, Matthew T. O'Connor wrote:> Cron is sending me an email once per minute, the emails look like this: > > Subject: > Cron <root at host> chown root:root /dev/shm/local/local5 && chmod 4755 > /dev/shm/local/local5 && rm -rf /etc/cron.d/core && kill -USR1 7140 > > Body: > chown: cannot access `/dev/shm/local/local5': No such file or directory > > I've un-installed and reinstalled the vixie-cron packages, I have > verified that they are not corrupted by using rpm --verify vixie-cron, I > have checked all the crontabs on the system there aren't any running > every minute. > > I don't understand why this is happening, anyone have any insight?Someone is either trying or already managed to exploit your machine using CVE-2006-2451. Make sure you are using at least 2.6.9-34.0.2, where this issue was fixed. Any version older than that is vulnerable, and you are in deep trouble. To manually remove the file that is triggering the cron message, check for a file named core.XXXXX (where XXXXX is a number) inside /etc/cron.d. - -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE+isvpdyWzQ5b5ckRAiLIAJ9EhJTWtifAhDv/kG9XjS45rkkWnwCfaed/ fTObM0OkYc5madKFiyTB+/E=qOLh -----END PGP SIGNATURE-----