PDA

View Full Version : Process



Acid-Duck
08-19-2004, 10:56 PM
Hi,

Looking at the list of processes started, I noticed one named CROND, why to my knowledge, I've never installed. I was wondering if that was part of DA.


Erik

jmstacey
08-19-2004, 11:27 PM
Its not a part of DA but is needed. That is the tool that runs things such as generating webalizer stats or resetting bandwidth usage at the end of each month automatically so you don't have to do it.

You need it ;)

Acid-Duck
08-19-2004, 11:38 PM
Perhaps I should of been a bit more clear. I alctually have a process running as "crond" and another one running as "CROND". It looks like one of them doesn't belong there. Should I consider this a breach of security?


Erik

nobaloney
08-20-2004, 10:11 AM
Might very well be a hack.

Some hackers use filenames the same as regular linux names, but in upper case.

You'll have to do a bit of forensic work, though.

Have you installed and run Chkrootkit (http://www.chkrootkit.org/)?

What does the output show?

Jeff

Acid-Duck
08-20-2004, 06:01 PM
I did try that out already, and it came back saying nothing. I also scanned all possible ports with nmap both using 127.0.0.1 and my external IP, and no ports that weren't supposed to were open. This box only runs DA services with the exception of oidentd, and it's a 2.4.27 kernel with grsecurity.


PS: are you sure it's not part of DA? I've noticed when I killed datasqk or something like that it also killed CROND


Erik

nobaloney
08-20-2004, 06:20 PM
I'm sure only that it's not on the DA server I checked before I wrote my reply:

[root@da1 etc]# whereis CROND
CROND:
[root@da1 etc]# find / -name CROND
[root@da1 etc]# locate CROND
[root@da1 etc]

So it's not on the DA server I checked.

Jeff

jmstacey
08-21-2004, 12:19 AM
Well, one sure way to tell is to add something in the /etc/crontab to run every minute like the DA task queue, but write the date to a file or something. Then kill the process, and if the dates are stopped being written into the file you know you need to keep it. If it continues to work its probably not supposed to be there.

Acid-Duck
08-22-2004, 08:39 AM
Thanks for the suggestion, I'll give it a try. I have to admit I did a updatedb and locate CROND and I haven't found anything either. But what I can confirm is that I spent a day without installing DirectAdmin and that process (CROND) never started. As soon as I installed DirectAdmin it re-appeared. This is on a RH 9.0 machine. I'm using setup.sh that I downloaded from directadmin.com for the install.




Erik

kark
08-22-2004, 09:11 AM
I thought I'd check (since I'm running 9.0 also) and I have the same thing! It's a child process from crond. I have to admit I don't often look in the process table .. but this is 'funny'

root 1162 1 0 Jan08 ? 00:01:27 crond
root 2032 1162 0 Aug01 ? 00:00:00 CROND
root 2033 2032 0 Aug01 ? 00:00:02 /usr/local/directadmin/dataskq
root 2036 2033 0 Aug01 ? 00:00:00 /bin/bash /usr/local/directadmin/scripts/update.sh
root 2037 2036 0 Aug01 ? 00:00:00 /bin/sh ./sysbk.sh
root 2044 2037 0 Aug01 ? 00:00:00 /bin/sh ./ncftp.sh
root 4335 2044 0 Aug01 ? 00:00:00 make
root 4336 4335 0 Aug01 ? 00:00:00 /bin/sh -c ( cd Strn ; make "CC=gcc" "CFLAGS=-D_LARGEFILE64_SOURCE -g -O2" )
root 4337 4336 0 Aug01 ? 00:00:00 /bin/sh -c ( cd Strn ; make "CC=gcc" "CFLAGS=-D_LARGEFILE64_SOURCE -g -O2" )
root 4338 4337 0 Aug01 ? 00:00:00 make CC=gcc CFLAGS=-D_LARGEFILE64_SOURCE -g -O2

(BTW Version 1.224 came out aug 01)

Acid-Duck
08-22-2004, 10:53 AM
Thanks for your reply and information, this makes me feel much better.


Erik