[GTALUG] cron scripts **BOOM**
Jason Shaw
grazer at gmail.com
Wed Jan 9 12:46:08 EST 2019
darryl, you should be able to look at yum or apt/dpk histories to see
if/when cron was updated and possibly gleam some information about who/what
did it.
for debian and ubuntu :
https://serverfault.com/questions/175504/how-do-i-get-the-history-of-apt-get-install-on-ubuntu
for redhat/rpm based distros: 'yum history info crontab' or whatever the
name of the cron package is called
Certainly sounds like something automatically updated the cron package to
me. Good luck in the forensics.
-jason
On Wed, Jan 9, 2019 at 12:30 PM Alex Beamish via talk <talk at gtalug.org>
wrote:
> I know that crontab -r removes the user's crontab, but what's more likely
> (based on your content) is that a new version of cron was installed -- and
> that process somehow overwrote the existing crontab with what looks like a
> default version.
>
> I have a line in my crontab that does a periodic save:
>
> # 2018-1121: 1533: Save the current crontab for later backup
> 36 8,15 * * * crontab -l >/home/web/crontab.latest
>
> I then use rsync to back that file (and others) up to a safe place.
>
> Alex
>
> On Wed, Jan 9, 2019 at 11:45 AM Darryl Moore via talk <talk at gtalug.org>
> wrote:
>
>> so I have about 100 servers running 16.04 spread over North America.
>>
>> Today it became apparent that the root user cron script was deleted on
>> all 100 of them. The script is at /var/spool/cron/crontab/root and
>> everything I had has been deleted and replaced with
>>
>> # DO NOT EDIT THIS FILE - edit the master and reinstall.
>> # (- installed on Fri Dec 28 08:18:31 2018)
>> # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
>>
>> crontabs were all originally installed using the crontab executable.
>> when I redo it the same way I get the proper crontab file but with this
>> above header added. This was never the case before. I do not have
>> automatic updates turned on on any of my machines. The date stamp in
>> this header is within a few seconds of the above on all my machines. I
>> also have a few machines running Armbian, and they are exactly the same.
>>
>> This is a major F*up for me and I have no idea how it happened. Has
>> anybody else had similar experiences? I'd love to know.
>>
>> regards,
>> darryl
>> ---
>> Talk Mailing List
>> talk at gtalug.org
>> https://gtalug.org/mailman/listinfo/talk
>>
>
>
> --
> Alex Beamish
>
> Software Developer / https://ca.linkedin.com/in/alex-beamish-5111ba3
> Speaker Wrangler / Toronto Perlmongers / http://to.pm.org/
> Baritone, Operations Manager / Toronto Northern Lights, 2013 Champions /
> www.northernlightschorus.com
> Certified Contest Administrator / Barbershop Harmony Society /
> www.barbershop.org
>
> ---
> Talk Mailing List
> talk at gtalug.org
> https://gtalug.org/mailman/listinfo/talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20190109/d2297a75/attachment.html>
More information about the talk
mailing list