Cron jobs are running but there is nothing in crontab? Have I been hacked?
You are assuming cron jobs exist in standard crontabs. Do this:
ls -lR /etc/cron*
Oh, and no... that does NOT mean that you've been hacked!
Related videos on Youtube
MikeC8
Updated on September 18, 2022Comments
-
MikeC8 over 1 year
I have a server that's been running for years now and there are no cron jobs set up. I have not logged in or changed anything in months. Suddenly I started receiving emails that look like this, about once per hour, but not always for some reason:
To: [email protected] Subject: Cron <[email protected]> [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/cli/conf.d/mhash.ini on line 1 in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php5/20090626/mhash.so' - /usr/lib/php5/20090626/mhash.so: cannot open shared object file: No such file or directory in Unknown on line 0
I have no idea what this is talking about. It's bizarre because I did not change anything.
I checked to see if ther eare any cron jobs by running this command while logged in as root:
for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l; done
There were none:
no crontab for root no crontab for daemon no crontab for bin no crontab for sys : : etc, for all users
What is going on? How do I stop this? And furthermore, I'm a little concerned that someone broke into the server and changed something, because I didn't touch a single thing.
Any ideas?
-
Kasius over 11 yearsUsers can also create their own
cron
jobs. Check out/var/cron
or/var/spool/cron/crontabs
. -
UtahJarhead over 11 yearsYes, but he already checked the individual users' crontabs (those are what are listed in the directories you listed.)
-
Daniel K about 4 yearsHi Yanqi, I am afraid I find this answer very confusing. Could you review it for clarity?