Strange entries in cron.d

[snowweb]

I have found a text file in my cron.d directory called ifdcron.sh which contains the following entries in it:

MAILTO=
SHELL=/bin/sh
0 0 * * * root /etc/init.d/lfd restart > /dev/null 2>&1
* * * * * root /usr/bin/test -e /etc/csf/lfd.restart && /bin/rm /etc/csf/lfd.restart && /etc/init.d/lfd restart > /dev/null 2>&1
* * * * * root /usr/bin/test -e /etc/csf/lfd.start && /bin/rm /etc/csf/lfd.start && /etc/init.d/lfd start > /dev/null 2>&1
* * * * * root /usr/bin/test -e /etc/csf/lfd.enable && /bin/rm /etc/csf/lfd.enable && /usr/sbin/csf -e > /dev/null 2>&1

Can some one tell me what this is about please?

The reason I checked it was because today the server CPU usage was at 100% for an extended period although the machine should have little load. Further examination of the logs revealed attempted (and possibly successful) hacking of the ftp service. Later I noticed in /var/log/cron/ the following

May 29 19:34:01 s1 crond[13513]: (root) CMD (/usr/bin/test -e /etc/csf/lfd.enable && /bin/rm /etc/csf/lfd.enable && /usr/sbin/csf -e > /dev/null 2>&1)
May 29 19:34:01 s1 crond[13517]: (root) CMD (/usr/bin/test -e /etc/csf/lfd.start && /bin/rm /etc/csf/lfd.start && /etc/init.d/lfd start > /dev/null 2>&1)
May 29 19:34:01 s1 crond[13520]: (root) CMD (/usr/bin/test -e /etc/csf/lfd.restart && /bin/rm /etc/csf/lfd.restart && /etc/init.d/lfd restart > /dev/null 2>&1)
May 29 19:34:01 s1 crond[13521]: (root) CMD (/usr/local/directadmin/dataskq)
May 29 19:35:01 s1 crond[14118]: (root) CMD (/usr/bin/test -e /etc/csf/lfd.enable && /bin/rm /etc/csf/lfd.enable && /usr/sbin/csf -e > /dev/null 2>&1)
May 29 19:35:01 s1 crond[14152]: (root) CMD (/usr/bin/test -e /etc/csf/lfd.start && /bin/rm /etc/csf/lfd.start && /etc/init.d/lfd start > /dev/null 2>&1)
May 29 19:35:01 s1 crond[14167]: (root) CMD (/usr/bin/test -e /etc/csf/lfd.restart && /bin/rm /etc/csf/lfd.restart && /etc/init.d/lfd restart > /dev/null 2>&1)
May 29 19:35:01 s1 crond[14168]: (root) CMD (/usr/local/directadmin/dataskq)
May 29 19:36:02 s1 crond[16142]: (root) CMD (/usr/bin/test -e /etc/csf/lfd.start && /bin/rm /etc/csf/lfd.start && /etc/init.d/lfd start > /dev/null 2>&1)
May 29 19:36:02 s1 crond[16143]: (root) CMD (/usr/bin/test -e /etc/csf/lfd.restart && /bin/rm /etc/csf/lfd.restart && /etc/init.d/lfd restart > /dev/null 2>&1)
May 29 19:36:02 s1 crond[16144]: (root) CMD (/usr/local/directadmin/dataskq)
May 29 19:36:02 s1 crond[16145]: (root) CMD (/usr/bin/test -e /etc/csf/lfd.enable && /bin/rm /etc/csf/lfd.enable && /usr/sbin/csf -e > /dev/null 2>&1)
May 29 19:37:01 s1 crond[17639]: (root) CMD (/usr/bin/test -e /etc/csf/lfd.enable && /bin/rm /etc/csf/lfd.enable && /usr/sbin/csf -e > /dev/null 2>&1)
May 29 19:37:01 s1 crond[17641]: (root) CMD (/usr/bin/test -e /etc/csf/lfd.start && /bin/rm /etc/csf/lfd.start && /etc/init.d/lfd start > /dev/null 2>&1)
May 29 19:37:01 s1 crond[17645]: (root) CMD (/usr/local/directadmin/dataskq)
May 29 19:37:01 s1 crond[17646]: (root) CMD (/usr/bin/test -e /etc/csf/lfd.restart && /bin/rm /etc/csf/lfd.restart && /etc/init.d/lfd restart > /dev/null 2>&1)
May 29 19:38:01 s1 crond[18254]: (root) CMD (/usr/bin/test -e /etc/csf/lfd.enable && /bin/rm /etc/csf/lfd.enable && /usr/sbin/csf -e > /dev/null 2>&1)
May 29 19:38:01 s1 crond[18255]: (root) CMD (/usr/bin/test -e /etc/csf/lfd.start && /bin/rm /etc/csf/lfd.start && /etc/init.d/lfd start > /dev/null 2>&1)
May 29 19:38:01 s1 crond[18257]: (root) CMD (/usr/bin/test -e /etc/csf/lfd.restart && /bin/rm /etc/csf/lfd.restart && /etc/init.d/lfd restart > /dev/null 2>&1)
May 29 19:38:01 s1 crond[18262]: (root) CMD (/usr/local/directadmin/dataskq)

The file is 90MB in size (I just truncated it here).

This caused me to check the cron entries to find out what is running a why.

Please can someone advise me?

Thanks.

peter

 

[Dravu]

I was interested at one point as well in those entries. They check for various files and if they're found, CSF will start/stop/restart respectively. I think it's done instantly via the control panel, so I couldn't figure out why it did the checks in the first place.

 

[snowweb]

I've just uninstalled CSF since it was disabled anyway because when enabled, even when wide open, it's blocking ALL connections except shell. I'm fed up with it, since it uses so much resources even it's not running!

So I've uninstalled the plugin using the plugin manager and then I deleted it, also via the plugin manager. I then noticed several directories scattered around the filesystem called 'csf'. I renamed them to 'csf.delete-me-soon'. I would also like to stop this ridiculous cron task too.

Should I delete the entire file in the cron.d directory called ifdcron.sh or just remove some of the entries from it please?

Thanks,

pete

 

[redesb]

Hi Pete,

I don't know if this can be the problem but...

You should ensure that kernel logging daemon (klogd) is enabled. Typically, VPS
servers have this disabled and you should check /etc/init.d/syslog and make
sure that any klogd lines are not commented out. If you change the file,
remember to restart syslog.

ALAIK out there is no 'magic' firewall, everytime I need to install one, I need to customize something. That's Linux, you never get bored and manual is essential reading, no 'Guidows' black magic here, no magical fire and run, but that's better from my point of view.

Hope this help,
Ramon

 

[snowweb]

Thanks Ramon. I wasn't really expecting not to have to configure it. Actually I would have been dissappointed it I couldn't do that. I'm a network engineer by trade, so can understand the settings (mostly), it's just that they simply didn't seem to have any effect! It's like I might as well have switched off the server after I enabled the firewall, even though it was set to allow all. It sounds like you are probably right about klogd, since I knew nothing about that, so never checked.

It's late here now, so will look into it in the morning. Maybe I'll re-install CSF, although I'm still a bit worried about the look of that cron task. It looks to me as though it's running almost continually and I'm worried about the resources that it might use. Is this something I should be concerned about or have I missunderstood this cron?

I come from a windows background, so not so used to text files and remembering commands, but I usually get there in the end with a bit of help from my friends here

pete

 

[redesb]

I can't speak about CSF because i don't use it, but if you test APF+BFD+... and you have problems PM me.

 

[snowweb]

I can't speak about CSF because i don't use it, but if you test APF+BFD+... and you have problems PM me.

Thanks Ramon, I'll definately have a look about those two. I didn't know about them, maybe they will be the answer

I'll report back here and let ya'all know how I get on.

Pete

 

[snowweb]

I've now installed APF and I configured the conf.apf file. Then I ran apf -r and got the following output:

[root@s1 ~]# /etc/apf/apf -s
: command not foundline 13:
: command not foundline 21:
: command not foundline 24:
: command not foundline 28:
: command not foundline 30:
: command not foundline 34:
: command not foundline 40:
: command not foundline 52:
: command not foundline 58:
: command not foundline 66:
: command not foundline 72:
: command not foundline 78:
: command not foundline 83:
: command not foundline 89:
: command not foundline 93:
: command not foundline 100:
: command not foundline 113:
: command not foundline 118:
: command not foundline 127:
: command not foundline 132:
: command not foundline 136:
: command not foundline 140:
: command not foundline 144:
: command not foundline 149:
: command not foundline 159:
: command not foundline 167:
: command not foundline 173:
: command not foundline 181:
: command not foundline 187:
: command not foundline 191:
: command not foundline 195:
: command not foundline 200:
: command not foundline 206:
: command not foundline 209:
: command not foundline 212:
: command not foundline 215:
: command not foundline 218:
: command not foundline 221:
: command not foundline 224:
: command not foundline 229:
: command not foundline 235:
: command not foundline 241:
: command not foundline 247:
: command not foundline 255:
: command not foundline 262:
: command not foundline 268:
: command not foundline 275:
: command not foundline 282:
: command not foundline 288:
: command not foundline 295:
: command not foundline 300:
: command not foundline 304:
: command not foundline 309:
: command not foundline 314:
: command not foundline 321:
: command not foundline 333:
: command not foundline 342:
: command not foundline 351:
: command not foundline 355:
: command not foundline 365:
: command not foundline 368:
: command not foundline 371:
: command not foundline 375:
: command not foundline 389:
: command not foundline 392:
: command not foundline 395:
: command not foundline 398:
: command not foundline 402:
: command not foundline 414:
: command not foundline 417:
: command not foundline 420:
: command not foundline 431:
: command not foundline 434:
: command not foundline 443:
: command not foundline 444:
: command not foundline 445:
: command not foundline 446:
: command not foundline 452:
: command not foundline 453:
: command not foundline 454:
: command not foundline 455:
: command not foundline 461:
: command not foundline 462:
: command not foundline 463:
: command not foundline 464:
: command not foundline 472:
: command not foundline 474:
: command not foundline 475:
: command not foundline 484:
: command not foundline 485:
: command not foundline 486:
: command not foundline 487:
: command not foundline 497:
: command not foundline 498:
: command not foundline 499:
: command not foundline 500:
: command not foundline 501:
: command not foundline 502:
: command not foundline 503:
: command not foundline 509:
: command not foundline 513:
: command not foundline 518:
: command not foundline 522:
: command not foundline 525:
: command not foundline 529:
: command not foundline 533:
: command not foundline 537:
: No such file or directory: /etc/apf
/etc/apf/apf: line 136: eout: command not found
/internals/.last.full: No such file or directory
touch: missing file operand
Try `touch --help' for more information.
chmod: missing operand after `600'
Try `chmod --help' for more information.
touch: missing file operand
Try `touch --help' for more information.
chmod: missing operand after `600'
Try `chmod --help' for more information.
touch: missing file operand
Try `touch --help' for more information.
chmod: missing operand after `600'
Try `chmod --help' for more information.
/etc/apf/apf: line 152: devm: command not found
/vnet/vnetgen: No such file or directory
/firewall: No such file or directory
/etc/apf/apf: line 160: bandmin: command not found
/etc/apf/apf: line 162: eout: command not found
/internals/.apf.restore: No such file or directory
/etc/apf/apf: line 170: eout: command not found

I'm lost now! Any advise would be appreciated please.

Thanks

pete

 

[redesb]

Hi again Pete,

Please, can you say me from where you download 'APF' and what version is reporting when you run it without options? Another interesting data be the OS Distro and version, and finally how you launch the install of 'APF'.

P.D.: Work you on the 'La Salle College' or 'The Center for Biblical Studies'?

Regards,
Ramon

 

[snowweb]

I followed the instructions on this website (http://www.webhostgear.com/61.html) to download and install APF.

The version reported when I run it without options is APF version 9.7

pete

 

[redesb]

Please Pete, post the output of bellow commands:

uname -a
whereis iptables
whereis head
whereis grep
whereis sed
whereis gawk
whereis tr
whereis cut

But, first time I read about this problem. I suspect your hoster have excluded some apps from container install. I don't know...

Ramon

 

[nobaloney]

redesb,

Are you running a VPS? If you are, then you need to have the firewall discussion with your provider; VPS installations generally do not by default implement iptables on a per VPS level.

You might also want to look at the KISS firewall, and to get versions of these firewalls which will work out of the box in a DirectAdmin webhosting environment you should probably only use instructions on these forums.

Jeff

 

[snowweb]

Please Pete, post the output of bellow commands:

uname -a
whereis iptables
whereis head
whereis grep
whereis sed
whereis gawk
whereis tr
whereis cut

But, first time I read about this problem. I suspect your hoster have excluded some apps from container install. I don't know...

Ramon

Hi Ramon, sorry for the delay. Here is the information that you requested:

[root@s1 ~]# uname -a
Linux s1.snowweb.info 2.6.18-028stab062.3-ent #1 SMP Thu Mar 26 15:12:05 MSK 2009 i686 i686 i386 GNU/Linux
[root@s1 ~]# whereis iptables
iptables: /sbin/iptables /lib/iptables /usr/share/man/man8/iptables.8.gz
[root@s1 ~]# whereis head
head: /usr/bin/head /usr/share/man/man1/head.1.gz /usr/share/man/man1p/head.1p.gz
[root@s1 ~]# whereis grep
grep: /bin/grep /usr/share/man/man1/grep.1.gz /usr/share/man/man1p/grep.1p.gz
[root@s1 ~]# whereis sed
sed: /bin/sed /usr/share/man/man1/sed.1.gz /usr/share/man/man1p/sed.1p.gz
[root@s1 ~]# whereis gawk
gawk: /bin/gawk /usr/bin/gawk /usr/share/man/man1/gawk.1.gz
[root@s1 ~]# whereis tr
tr: /usr/bin/tr /usr/share/man/man1/tr.1.gz /usr/share/man/man1p/tr.1p.gz
[root@s1 ~]# whereis cut
cut: /bin/cut /usr/bin/cut /usr/share/man/man1/cut.1.gz /usr/share/man/man1p/cut.1p.gz

I guess if they excluded something from the container installation, I can just add it myself, so long as I know what I need?

jlassman, thanks for your advice also. I'm on a serverpoint.com VPS, It is running the Parallels Power Panel - Virtuozzo Container Manager. My OS is CentOS 5.

I might checkout KISS if I have no luck getting APF working. This is just what I don't like about Linux - when you install a program on Windows, normally all dependencies are installed at the same time automatically - on Linux, 9 times out of 10, they don't even mention the dependencies and the program just doesn't work (unless you have a few days and some good experts, like you guys on hand)! Anyway.. enough of my self-pity!

Regarding IP tables being available on a per VPS basis. I have no idea how to tell, although I believe they are since I'm able to list the contents of iptables and they don't look like they have experienced any advanced config so far.

Regards,

pete

 

[redesb]

Hi Pete,

No idea of what go wrong with your installation, believe that it's not a problem of lack of applications. Re-reading your previous post of errors, I got the impression that APF can not find some files, including the configuration.

You got PM mail,
Ramon