suspicious cron log entry

Aug 25 22:55:39 localhost /usr/bin/crontab[1763]: (root) LIST (nobody)

Is this normal? If so, can someone please explain who/what is
doing this? If not, any suggestions on a course of action?
--
% Randy Yates % "How's life on earth?
%% Fuquay-Varina, NC % ... What is it worth?"
%%% 919-577-9882 % 'Mission (A World Record)',
%%%% <yates@ieee.org> % *A New World Record*, ELO
http://home.earthlink.net/~yatescr

Randy Yates <yates@ieee.org> writes:

> Aug 25 22:55:39 localhost /usr/bin/crontab[1763]: (root) LIST (nobody)
>
> Is this normal? If so, can someone please explain who/what is
> doing this? If not, any suggestions on a course of action?

I should say that "doing this" means "crontab -l". Or am I
wrong?
--
% Randy Yates % "With time with what you've learned,
%% Fuquay-Varina, NC % they'll kiss the ground you walk
%%% 919-577-9882 % upon."
%%%% <yates@ieee.org> % '21st Century Man', *Time*, ELO
http://home.earthlink.net/~yatescr

Randy Yates wrote:

>> Aug 25 22:55:39 localhost /usr/bin/crontab[1763]: (root) LIST (nobody)
>>
>> Is this normal? If so, can someone please explain who/what is
>> doing this? If not, any suggestions on a course of action?
>
> I should say that "doing this" means "crontab -l". Or am I
> wrong?

Yes, it looks like someone, acting as root typed "crontab -l nobody".
Whether that's "normal" in your situation is not something others can
determine for you (are you the only one with legitimate "root" access
on this system?), but it certainly would be "normal" on systems I
manage, especially for "software accounts" that do have cron jobs, where
I might want to check details.

I hope that helps ...

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

Sylvain Robitaille <syl@alcor.concordia.ca> writes:

> Randy Yates wrote:
>
>>> Aug 25 22:55:39 localhost /usr/bin/crontab[1763]: (root) LIST (nobody)
>>>
>>> Is this normal? If so, can someone please explain who/what is
>>> doing this? If not, any suggestions on a course of action?
>>
>> I should say that "doing this" means "crontab -l". Or am I
>> wrong?
>
> Yes, it looks like someone, acting as root typed "crontab -l nobody".
> Whether that's "normal" in your situation is not something others can
> determine for you (are you the only one with legitimate "root" access
> on this system?), but it certainly would be "normal" on systems I
> manage, especially for "software accounts" that do have cron jobs, where
> I might want to check details.
>
> I hope that helps ...

Hi Sylvain,

Thanks for your response. I don't mean to be thick, but I still don't
really see what the bottom line is. I am the only human that should
have root access to my computer. Are there programs or cron jobs that
might do this sort of thing automatically? If so, how do you check?

If not, then please clarify that this is indeed an indication of a
break-in.
--
% Randy Yates % "So now it's getting late,
%% Fuquay-Varina, NC % and those who hesitate
%%% 919-577-9882 % got no one..."
%%%% <yates@ieee.org> % 'Waterfall', *Face The Music*, ELO
http://home.earthlink.net/~yatescr

Randy Yates wrote:

> Thanks for your response. I don't mean to be thick, but I still don't
> really see what the bottom line is. I am the only human that should
> have root access to my computer.

Then I would conclude that at Aug 25 22:55:39, as root, you typed
"crontab -l nobody" (or perhaps as your own user you used sudo to issue
the same command?) Think back carefully. Examine root's command
history file (.history, or perhaps .bash_history) for reminders.
Examine your own history file as well.

> Are there programs or cron jobs that might do this sort of thing
> automatically? If so, how do you check?

I highly doubt it. You could grep through crontabs and /etc/cron.*, but
I'd be surprised if you found anything there that would cause a crontab
listing for user nobody.

> If not, then please clarify that this is indeed an indication of a
> break-in.

As I said in my earlier message,

Whether that's "normal" in your situation is not something others can
determine for you ...

I suppose the question to begin with, is what is causing you to suspect
this particular log line? Or perhaps more to the point, what leads you
to believe that your system may have been compromised in the first
place?

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

Sylvain Robitaille <syl@alcor.concordia.ca> writes:

> Randy Yates wrote:
>
>> Thanks for your response. I don't mean to be thick, but I still don't
>> really see what the bottom line is. I am the only human that should
>> have root access to my computer.
>
> Then I would conclude that at Aug 25 22:55:39, as root, you typed
> "crontab -l nobody" (or perhaps as your own user you used sudo to issue
> the same command?) Think back carefully. Examine root's command
> history file (.history, or perhaps .bash_history) for reminders.
> Examine your own history file as well.

It wasn't me. I didn't even know there was a -l option until I saw
this entry in the log and read up on the crontab man page.

>> Are there programs or cron jobs that might do this sort of thing
>> automatically? If so, how do you check?
>
> I highly doubt it. You could grep through crontabs and /etc/cron.*, but
> I'd be surprised if you found anything there that would cause a crontab
> listing for user nobody.

OK.

>> If not, then please clarify that this is indeed an indication of a
>> break-in.
>
> As I said in my earlier message,
>
> Whether that's "normal" in your situation is not something others can
> determine for you ...

I don't believe that's true. If I asked you to help me determine
what's wrong with my car, couldn't you do it through a series of
queries and responses? Granted I'd have to do the work of checking
what you ask me to check, but in this case, assuming it's fairly
trivial, I'd gladly do that.

> I suppose the question to begin with, is what is causing you to suspect
> this particular log line?

Because I didn't type it, I've never noticed them before in my logs,
and no system process that I know of executes this type of command.

> Or perhaps more to the point, what leads you to believe that your
> system may have been compromised in the first place?

Because I see a suspicious line in my log.

Sylvain, I'm halfway to thinking you're pulling my leg, your comments
and questions are so circular. Forgive me if I misread you.
--
% Randy Yates % "Midnight, on the water...
%% Fuquay-Varina, NC % I saw... the ocean's daughter."
%%% 919-577-9882 % 'Can't Get It Out Of My Head'
%%%% <yates@ieee.org> % *El Dorado*, Electric Light Orchestra
http://home.earthlink.net/~yatescr

> Whether that's "normal" in your situation is not something others can
> determine for you ...

Truly, limited understanding of the situation hinders any ability to
make an accurate response. You have provided very generic information
from which to go off of and in such a small quantity that there could
be many correct responses.

There are tools, which I know almost nothing about, that will change
the default nature of crontab. It's possible to use a webtool on a
setup that uses SmoothWall...the mod changes the ownership of crontab
to nobody so the browser-based application can access the crontab.
Similar article here...

http://community.smoothwall.org/foru...d0123a8adba9e3

At this point I would be more concerned with fundamental security than
with crontab paranoia. Do you have security hardening tools installed
and configured on your system, such as bastille and/or selinux? Do you
opt in your computer usage to stay away from insecure protocols and
unencrypted traffic? Have you employed tripwire and logcheck to help
you manage what's going on on your system?

Good luck figuring out your problem.

~~.

Randy Yates wrote:

> It wasn't me. ...

Did you verify that in the history files?

If you run "crontab -l" as user "randy" do you find a similar log line
that shows in fact that "randy" ran "crontab -l" for "randy"? (or does
it also show that "root" ran "crontab -l" for "randy"?)

>> Whether that's "normal" in your situation is not something others
>> can determine for you ...
>
> I don't believe that's true. ...

You'd have to post a lot more detail about your system and its
configuration for it not to be, I'm afraid. Even then, keep in mind
that you know your system and how you use it better than anyone else.
If you don't, you certainly do have a problem.

> If I asked you to help me determine what's wrong with my car, couldn't
> you do it through a series of queries and responses?

Right, and that would start with "make, model, year, any powertrain
options" and probably a few more details. Assuming I knew enough about
(at least that model of) cars to guide you on that matter, the above
alone would give me a baseline of knowledge about your car and its
default "configuration" (which I assume you would think to tell me if
you modified).

You've given us the equivalent of "my car makes a sound I've never heard
before. Is that normal?" If you *had* asked that question, the best
answer I could give you is still the above.

> Granted I'd have to do the work of checking what you ask me to check,
> but in this case, assuming it's fairly trivial, I'd gladly do that.

I would start by trying to identify what specifically caused that log
line to be produced. Are there others like it? (ie, can you find a
pattern in the timing) Do other logs show anything interesting at
around (or slightly earlier than) the same time?

>> what is causing you to suspect this particular log line?
>
> Because I didn't type it,

Did you do anything else that might have caused the command to be run on
your behalf? (some sort of GUI interface to crontab, perhaps?)

> I've never noticed them before in my logs,

Can you grep your logs to confirm that there are no other occurances?

> and no system process that I know of executes this type of command.

agreed, given "system process" to mean "automated jobs installed with
the default OS installation". Perhaps you ran "make install" to install
a package that adds to "nobody"s crontab if the entry it's adding doesn't
already exist (it's a long shot, but the point is that you should consider
what was going on on the system at the time, and see if there's anything
at all that might have had that as a side-effect).

>> ... more to the point, what leads you to believe that your
>> system may have been compromised in the first place?
>
> Because I see a suspicious line in my log.

Just the one line, or are you seeing other evidence which, in context,
causes this line to stick out as suspicious?

> Sylvain, I'm halfway to thinking you're pulling my leg, your comments
> and questions are so circular. Forgive me if I misread you.

No leg pulling intended. I'm honestly trying to get a sense of what is
causing you to consider this log line to be suspicious.

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

Hi,

I had the same "problem" and got quite mad. I thought there is a
hacker on my machine. But no...

> Aug 25 22:55:39 localhost /usr/bin/crontab[1763]: (root) LIST (nobody)

The chkrootkit program causes this entry.

Would be nice if anyone can confirm this.

Bye

On Tue, 18 Sep 2007, in the Usenet newsgroup comp.os.linux.security, in article
<1190149765.193810.72450@50g2000hsm.googlegroups.c om>, hans4002@yahoo.com wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.

>I had the same "problem" and got quite mad. I thought there is a
>hacker on my machine. But no...
>
>> Aug 25 22:55:39 localhost /usr/bin/crontab[1763]: (root) LIST (nobody)
>
>The chkrootkit program causes this entry.

Wonderful 'windoze-wannabe' application which like the similar
'rkhunter' is a waste of CPU cycles. I don't believe I've ever seen
someone actually report finding a root kit using either tool, but the
archives are full of reports of both 'tools' showing false alarms.
Both are trivial for a mal-ware author to defeat.

>Would be nice if anyone can confirm this.

Both 'chkrootkit' and 'rkhunter' are large shell scripts, with some
(generally poor) documentation. Find the chkrootkit script and look
at roughly line 1596 (assumes version 0.47 from October 2006) and find
the function 'chk_crontab'.

Of course the other way to confirm this is to look at your logs. Do you
see this entry? Now, run the application, and look again in the logs.
Do you see the entry now?

Old guy