Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Unexpected cron output - could it be a system compromise?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
tonip
n00b
n00b


Joined: 07 Jan 2005
Posts: 35

PostPosted: Thu Feb 01, 2007 6:43 am    Post subject: Unexpected cron output - could it be a system compromise? Reply with quote

I'm running 2.6.12-gentoo-r10 behind an IPCop box which serves as a router/firewall (IPCop 1.4.13). Early this morning I found some very suspicious output emailed to the root account from cron - this has never happened before and I certainly didn't (knowingly) set up any such cron job. Also, I can't find anything in the /etc/cron* directories or /etc/crontab that would have set this off:

Code:
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0  113k    0  1134    0     0   1742      0  0:01:06 --:--:--  0:01:06  1742
 63  113k   63 73934    0     0  41560      0  0:00:02  0:00:01  0:00:01 64539
100  113k  100  113k    0     0  59096      0  0:00:01  0:00:01 --:--:-- 87364
Done.


I'm not familiar with whatever command would have produced this output so did some searching and it looks to me like it comes from a curl command (can anyone confirm if that's right?). This has freaked me out a bit - now I'm concerned my box has been compromised. I ran chkrootkit and it didn't seem to throw up anything obvious but I don't fully understand all the output. The only warning-type message it printed was the following:

Code:
Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         6648 tty7   /usr/bin/X -br -nolisten tcp :0 vt7 -auth /var/run/xauth/A:0-ISMxJA
! tprice       8384 pts/0  /bin/bash
! tprice       8386 pts/1  /bin/bash
! tprice       8392 pts/2  /bin/bash
! tprice       8399 pts/3  /bin/bash
! tprice       8411 pts/4  /bin/bash
! tprice       8434 pts/5  /bin/bash
! tprice       8444 pts/6  /bin/bash
! tprice       8453 pts/7  /bin/bash
! tprice       8458 pts/8  /bin/bash
! tprice       8460 pts/9  /bin/bash
! tprice       8479 pts/11 /bin/bash
! tprice      14648 pts/10 /bin/bash
! root          610 pts/7  /bin/sh /usr/sbin/chkrootkit
! root         1626 pts/7  /usr/sbin/chkutmp
! root         1627 pts/7  ps ax -o tty,pid,ruser,args
chkutmp: nothing deleted


Nothing there looks unexpected to me but I'm not totally sure. (I could post the whole output if it would be useful.)

I can't see anything obvious in the IPCop firewall logs and 'ps faux' doesn't show up anything that looks suspicious to me, though I don't really know enough to tell. Can anyone give me some advice on how to figure out what caused that cron job to run?

Thanks ...
Toni
Back to top
View user's profile Send private message
dleverton
Guru
Guru


Joined: 28 Aug 2006
Posts: 517

PostPosted: Thu Feb 01, 2007 8:13 am    Post subject: Reply with quote

Yeah, this startled me too a while back, but it's almost certainly caused by the sys-apps/pciutils package updating the PCI IDs database. It would have been nice if there was some explanatory output, but... :?

Anyway, you can turn it off by commenting out the exec line in /etc/cron.monthly/update-pciids. Don't delete the file, because if you do it'll come back next time you update pciutils, whereas if you comment it, config protection will stop it from surprising you again.
Back to top
View user's profile Send private message
tonip
n00b
n00b


Joined: 07 Jan 2005
Posts: 35

PostPosted: Thu Feb 01, 2007 8:24 am    Post subject: Reply with quote

Yep, that seems to be it (datestamp on /usr/share/misc/pci.ids matches the time of the cron job and it would have used curl).

Thanks, at least now I don't need to worry!
Toni
Back to top
View user's profile Send private message
orionbelt
Apprentice
Apprentice


Joined: 05 Apr 2006
Posts: 178

PostPosted: Fri Jun 01, 2007 12:56 pm    Post subject: Reply with quote

It's been bugging me for months, as well. On the 1st of every month, to be more specific: It turns out it's caused by /usr/sbin/update-pciids which gets executed from inside your cron.monthly, as dleverton said above...

I just found out that i can disable the annoying message by modifying the line:

Code:
if ! $DL ; then


into:

Code:
if ! $DL >&/dev/null ; then


However, i would be much happier if Gentoo devs made the change --is the curl output of any use?

Edit: A better solution might be to leave the above line as-is and instead modify the line:

Code:
   DL="curl -o $DEST.new $SRC"


into:

Code:
   DL="curl -o $DEST.new $SRC --stderr /dev/null"


The advantage is that, if wget or lynx are used instead of curl, the stderr output *will* be emailed.
Back to top
View user's profile Send private message
drak
n00b
n00b


Joined: 18 Jun 2003
Posts: 40

PostPosted: Mon Jun 18, 2007 10:43 am    Post subject: Reply with quote

A better solution is to not remove all errors and instead silence the verbosity of curl.

change the following in /usr/sbin/update-pciids, I have submitted a bug report for this 182439
Code:

   DL="curl -o $DEST.new $SRC"

to
Code:

   DL="curl -s -o $DEST.new $SRC"

The advantage is that, the stderr output *will* be emailed, and the verbosity of curl is removed so you do not see what happened during the download of the file.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum