DA's cron jobs -- do these look normal?

K

knoxhosting

Verified User
Joined
Jan 10, 2005
Messages
42
Are these normal? I ask because my server was hacked about a week ago and I don't remember seeing this many entries in my cron log on a previous DA server.

Code: 
May 30 20:30:01 server crond[26902]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:30:01 server crond[26903]: (root) CMD (/usr/local/sbin/bfd -q)
May 30 20:31:01 server crond[27361]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:32:01 server crond[27556]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:33:01 server crond[27666]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:34:01 server crond[27887]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:35:01 server crond[28130]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)
May 30 20:35:01 server crond[28134]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:36:01 server crond[28365]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:37:01 server crond[28744]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:38:01 server crond[28880]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:39:01 server crond[29036]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:40:01 server crond[29227]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)
May 30 20:40:01 server crond[29229]: (root) CMD (/usr/local/sbin/bfd -q)
May 30 20:40:01 server crond[29241]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:41:01 server crond[29669]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:42:01 server crond[30083]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:43:01 server crond[30491]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:44:01 server crond[30774]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:45:01 server crond[30889]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)
May 30 20:45:01 server crond[30899]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:46:01 server crond[31119]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:47:01 server crond[31391]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:48:01 server crond[31607]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:49:01 server crond[31915]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:50:01 server crond[32208]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)
May 30 20:50:01 server crond[32211]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:50:01 server crond[32221]: (root) CMD (/usr/local/sbin/bfd -q)
May 30 20:51:01 server crond[325]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:52:01 server crond[625]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:53:01 server crond[854]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:54:01 server crond[1069]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:55:01 server crond[1409]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)
May 30 20:55:01 server crond[1414]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:56:01 server crond[1773]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:57:01 server crond[2052]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:58:01 server crond[2504]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 20:59:01 server crond[2835]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 21:00:01 server crond[3102]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)
May 30 21:00:01 server crond[3108]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 21:00:01 server crond[3114]: (root) CMD (/usr/local/sbin/bfd -q)
May 30 21:01:01 server crond[3580]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 21:01:01 server crond[3581]: (root) CMD (run-parts /etc/cron.hourly)
May 30 21:02:01 server crond[3853]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 21:03:01 server crond[4196]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 21:04:01 server crond[4453]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 21:05:01 server crond[4681]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 21:05:01 server crond[4682]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)
May 30 21:06:01 server crond[4983]: (root) CMD (/usr/local/directadmin/dataskq)
May 30 21:07:01 server crond[5120]: (root) CMD (/usr/local/directadmin/dataskq)
 
(/usr/local/directadmin/dataskq)
Those are normal and should be run once a minutes. Not sure on the others however.
 
Hmmm....

May 30 21:05:01 server crond[4682]: (root) CMD (/etc/init.d/apf stop >> /dev/null 2>&1)

Every five minutes?

Someone has set up a cron job somewhere to turn off your firewall every five minutes.

We still recommending rebuilding hacked servers.

In spite of all the effort.

Jeff
 
May 30 21:00:01 server crond[3114]: (root) CMD (/usr/local/sbin/bfd -q)
Click to expand...

.. and brute force detection has been set to quit every 5 mins, you should serioulsy either rebuild or get someone to check out your system.
 
I know this is a very old topic (came on it because of google), but:

apf normally turns itself off 5 minutes after start

it's a setting in the config file that makes it possible to test it before you use it, you need to turn it off though if you're happy with your firewall.

(and yes, that works through a cronjob)

i don't know about bfd though..
 
You must log in or register to reply here.
Back
Top