Date: Tue, 25 Aug 2009 14:25:15 -0500 From: CyberLeo Kitsana <cyberleo@cyberleo.net> To: Colin Brace <cb@lim.nl> Cc: CyberLeo <cyberleo@cyberleo.net>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: what www perl script is running? Message-ID: <4A943A9B.1030703@cyberleo.net> In-Reply-To: <25135959.post@talk.nabble.com> References: <4A924601.3000507@lim.nl> <200908240807.n7O87o3U092052@banyan.cs.ait.ac.th> <200908241026.55693.j.mckeown@ru.ac.za> <25130058.post@talk.nabble.com> <20090825091937.GA53416@cheddar.urgle.com> <25131646.post@talk.nabble.com> <200908251027.n7PARZBt009994@banyan.cs.ait.ac.th> <25132123.post@talk.nabble.com> <20090825082604.41cad357.wmoran@potentialtech.com> <25134056.post@talk.nabble.com> <20090825134250.GA6871@ei.bzerk.org> <25135959.post@talk.nabble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Colin Brace wrote: > > Ruben de Groot wrote: >> Try a find through the entire filesystem for files owned by this user that >> you can't account for. Also check your cron and at files under /var/cron >> and >> /var/at >> > > I found the cronjob which keeps restarting the script: > > [root@venus /var/cron/tabs]# ls -l > total 12 > -rw------- 1 root wheel 3440 Aug 25 12:06 colin > -rw------- 1 root wheel 240 Jul 28 23:49 www > > [root@venus /var/cron/tabs]# cat www > # DO NOT EDIT THIS FILE - edit the master and reinstall. > # (cron.job installed on Tue Jul 28 23:49:28 2009) > # (Cron version -- $FreeBSD: src/usr.sbin/cron/crontab/crontab.c,v 1.24 > 2006/09/03 17:52:19 ru Exp $) > */1 * * * * perl /tmp/tmpfile > > I removed it, so now at least the script stops relaunching. > > /tmp/tmpfile is of course the script. > > In a subdirectory of tmp, there is a whole bunch of source code, all owned > by 'www': > > /tmp/.,]# ls -l > total 5692 > -rw-r--r-- 1 www wheel 2844160 Mar 27 10:00 m.tgz > drwxr-xr-x 4 www wheel 512 Nov 10 2008 ml > -rw-r--r-- 1 www wheel 43419 May 27 23:22 scanxml.txt > > ]# ls -l ml > total 3208 > -rwxr-xr-x 1 www wheel 411 Mar 27 09:57 1.user > -rwxr-xr-x 1 www wheel 422 Mar 27 09:57 2.user > -rwxr-xr-x 1 www wheel 505767 Aug 3 2008 LinkEvents > -rwxr-xr-x 1 www wheel 2154 May 16 2003 Makefile > -rwx--x--x 1 www wheel 418490 Dec 3 2005 bsd > -rwxr-xr-x 1 www wheel 941 Dec 3 2005 checkmech > -rwxr-xr-x 1 www wheel 23237 May 16 2003 configure > -rwx--x--x 1 www wheel 397274 Dec 3 2005 crond > -rwxr-xr-x 1 www wheel 22882 May 16 2003 m.h > -rwxr-xr-x 1 www wheel 1054 Aug 3 2008 m.lev > -rwx--x--x 1 www wheel 6 May 25 2008 m.pid > -rwxr-xr-x 1 www wheel 1320 Mar 27 09:56 m.set > -rwxr-xr-x 1 www wheel 10240 Nov 10 2008 m.tgz > -rwxr-xr-x 1 www wheel 167964 Mar 16 2001 pico > drwxr-xr-x 2 www wheel 512 Mar 4 2005 r > drwxr-xr-x 2 www wheel 1024 Dec 3 2005 src > > If anyone is interested in looking at this stuff, or wants more info, please > let me know. Are these files available in a tarball someplace public, for those of us who enjoy performing autopsies on virii? -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net <CyberLeo@CyberLeo.Net> Furry Peace! - http://wwww.fur.com/peace/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A943A9B.1030703>