0

I have typed for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l; done And that say

no crontab for root no crontab for daemon ... no crontab for apache2

and i got very often You have new mail in /var/mail/root message

when i read there are all the same

From [email protected] Wed Aug 2 15:40:02 2017 Return-Path: <[email protected]> X-Original-To: root Delivered-To: [email protected] Received: by lxc2014.localdomain (Postfix, from userid 0) id 03E571D666; Wed, 2 Aug 2017 15:40:02 +0000 (UTC) From: [email protected] (Cron Daemon) To: [email protected] Subject: Cron <root@lxc2014> /dev/.x;^Mno crontab for root MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <HOME=/root> X-Cron-Env: <PATH=/usr/bin:/bin> X-Cron-Env: <LOGNAME=root> Message-Id: <[email protected]> Date: Wed, 2 Aug 2017 15:40:02 +0000 (UTC) /bin/sh: 1: ^Mno: not found

I know that ^M is \r brut why cron search this file...

Improve this question
16
  • There are a few system crontabs in addition to per-user crontabs. Does grep "no crontab" /etc/crontab /etc/cron*/* | cat -vet show anything? Commented Aug 2, 2017 at 17:44
  • grep "no crontab" /etc/crontab /etc/cron*/* | cat -vet show nothing Commented Aug 5, 2017 at 20:59
  • i've php5 in cron.d and apache2 apt aptitude bsdmainutils dpkg logrotate man-db mlocate passwd in cron.daily Commented Aug 5, 2017 at 21:04
  • 1
    Can you try grep -F -r /dev/.x /etc /var/spool/cron | cat -vet ? I've never seen /dev/.x before. It may be a legitimate executable used to maintain /dev, or it may be suspicious. Commented Aug 7, 2017 at 15:03
  • 1
    Sure. Use crontab -u root -r. That crontab entry was either a typo or malicious software (or both). Commented Aug 11, 2017 at 12:49

1 Answer 1

Reset to default
1

When you get mail like

From: [email protected] (Cron Daemon) To: [email protected] Subject: Cron <root@lxc2014> /dev/.x;^Mno crontab for root X-Cron-Env: <LOGNAME=root> /bin/sh: 1: ^Mno: not found

and you can't tell which crontab contains the offending command, you can grep for pieces of command in the standard places:

grep -r "no crontab" /etc/cron* /var/spool/cron | cat -vet

The cat -vet will show any embedded control characters that would otherwise be invisible or result in cursor motion.

In your case, you found the command at

/var/spool/cron/crontabs/root:* * * * * /dev/.x;^Mno crontab for root$

and the file contains this (line breaks added for readability):

# DO NOT EDIT THIS FILE - edit the master and reinstall.\n # (- installed on Thu Jul 20 20:50:12 2017)\n # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)\n * * * * * /dev/.x;^Mno crontab for root

Because of the embedded Ctrl+M character, running crontab -u root -l appears to show only no crontab for root. This looks like someone is trying to hide the crontab entry. I suggest that someone familiar with security and forensics take a look at your system to determine whether it's been compromised.

You can remove this crontab with crontab -u root -r.

You mentioned that /dev/.x doesn't exist, and that that string doesn't appear in any file under /etc, but please keep monitoring your system to see whether these files reappear. That would be a strong indicator that your system is still compromised.

If possible, please install all security patches offered by your distribution.

Improve this answer
4
  • Related: security.stackexchange.com/questions/39231/… Commented Aug 14, 2017 at 19:02
  • this command crontab -u root -r work well but after some reboot this entry come back... Commented Aug 16, 2017 at 12:02
  • Looks like it's malware, then. Reinstall your system and make sure you're fully patched and change all your access passwords. See the link provided by @Kusalananda Commented Aug 16, 2017 at 12:18
  • Ok i'll try to convince other admin. Commented Aug 30, 2017 at 20:28

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.