Atomicorp

Security for Everyone
https://forums.atomicorp.com/

CRON added by Something or Someone; High Load

https://forums.atomicorp.com/viewtopic.php?t=7854

Page 1 of 1

CRON added by Something or Someone; High Load

Posted: Tue Nov 04, 2014 11:47 am
by KrazyBob
The following CRON has been added for a domain that no longer exists:

Code: Select all

14,34,54        *       *       *       *       /usr/lib64/plesk-9.0/postfix-poplockdb-clean
*       *       *       *       *       mailq|awk ' /^[0-9A-F][0-9A-F]*.*.bluetopmanagement.com$/ {print $1}'|tr -d '*'| xargs -rn1 postsuper -d
0,10,20,30,40,50        *       *       *       *       /usr/local/psa/admin/bin/php -c '/usr/local/psa/admin/conf/php.ini' -dauto_prepend_file=sdk.php '/usr/local/psa/admin/plib/modules/plesk-mobile/scripts/push_worker.php'
This results in this running every minute:

Code: Select all

Nov  4 10:14:01 clss06 CROND[15857]: (root) CMD (mailq|awk ' /^[0-9A-F][0-9A-F]*.*.bluetopmanagement.com$/ {print $1}'|tr -d '*'| xargs -rn1 postsuper -d)
Nov  4 10:14:01 clss06 CROND[15858]: (root) CMD (/usr/lib64/plesk-9.0/postfix-poplockdb-clean)
Nov  4 10:15:01 clss06 CROND[15937]: (root) CMD (mailq|awk ' /^[0-9A-F][0-9A-F]*.*.bluetopmanagement.com$/ {print $1}'|tr -d '*'| xargs -rn1 postsuper -d)
Nov  4 10:15:01 clss06 CROND[15938]: (mailman) CMD (/usr/lib/mailman/cron/gate_news)
Nov  4 10:16:01 clss06 CROND[15990]: (root) CMD (mailq|awk ' /^[0-9A-F][0-9A-F]*.*.bluetopmanagement.com$/ {print $1}'|tr -d '*'| xargs -rn1 postsuper -d)
Nov  4 10:17:01 clss06 CROND[16016]: (root) CMD (mailq|awk ' /^[0-9A-F][0-9A-F]*.*.bluetopmanagement.com$/ {print $1}'|tr -d '*'| xargs -rn1 postsuper -d)
Can I safely delete it since it references a domain no longer hosted.

Re: CRON added by Something or Someone; High Load

Posted: Tue Nov 04, 2014 12:10 pm
by prupert
"Someonething or Someone" placed a cronjob in the crontab for root? If it wasn't for the innocence of the command I would say that you were hacked.

The job appears to be deleting certain messages from the Postfix mail queue, every minute. Certainly no harm will be done by removing this cronjob. ;-)

Re: CRON added by Something or Someone; High Load

Posted: Tue Nov 04, 2014 12:41 pm
by KrazyBob
Thank you for a speedy reply. This is a leased dedicated server and the client may have put it in there. But he lost the client because they wouldn't keep their site clean and Google would blacklist it and my IP. Not being familiar with postfix and didn't realize that the command is benign.

Thank you.
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited