On Tue, Apr 22, 2014 at 7:40 PM, Michel Donais <donais@xxxxxxxxxxxx> wrote: > Do somebody had this situation where an Email is sent every minutes to a > specific user named michel. > These emails are > incoming from: Root > with an header like: Cron <michel@donais> ~/.h5siP >/dev/null > 2>/dev/null; > and a text message as: /bin/sh: no: command not found > > There is a cron task named h5siP in the path of this user; he is the only > one affected by this situation. > I found that this script have a relation with an other one named as R5Agz > Did this user intentionally set up something that automatically recreates cronjobs? > > If I remove the cron job h5siP from the cron listing and I restart cron the > script is back a few minutes later. > If a person was to guess blindly, they might suspect that a nefarious person has compromised your server and set a cronjob. Without knowing more about your set up and how you have protected your servers (if SSH is open to the world, has SSH been brute forced, who has last logged in, etc), it will be tough to give good answers. Years ago, I found remnants of cronjobs in /var/spool/cron/ on a shared web server that was compromised (and subsequently cleaned up). By the sounds of it, those files are user cronjobs which will be in the cron spool. > .h5siP-p and .R5Agz-p are located in dev/shm/ and both contain a process > number as 23374 and 35678 > .R5Agz and .h5siP can be found in a user named michel repertory wich the > one > who receive a lot of emails > .h5siP is also located in /temp > > The only changes we made to our system was yesterday. We made an automatic > yum updte of three programs ; java 1.6. kpartx and device-mapper-multipath. > I don't know if there is a relation or do I face a kind of virus? > For starters, you need to find out what those cronjobs are doing -- that will indicate the urgency. Use strace to connect to those processes. strace -p <pid#> And from there, determine what is creating that file. You would think that whatever it is, would routinely check for the file to exist and you could catch it by grepping the output from lsof. > > I hope somebody can help > > --- > > Michel Donais > > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos > -- ---~~.~~--- Mike // SilverTip257 // _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos