[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] CROND
- Subject: Re: [cobalt-security] CROND
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Wed, 27 Nov 2002 05:34:45 +0100
- Organization: SOLARSPEED.NET
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Tom,
> I have a process running on one of my Raq4's called CROND. Not to be
> mistaken with crond.
>
> root 4180 0.0 0.1 1156 536 ? S 14:09 0:00 CROND
>
> I am unaware of what this process is. The latest chkrootkit shows no hacks.
> Any ideas of what this might be?
It's normal if this process is a child of the almighty crond and if it has
childs itself. See a small excerpt of a "ps axf" output below:
509 ? S 0:00 crond
3067 ? S 0:00 \_ CROND
3068 ? S 0:00 | \_ bash /usr/bin/run-parts /etc/cron.daily
10900 ? S 0:00 | | \_ sh /etc/cron.daily/webalizer.pl
10906 ? S 0:00 | | \_ perl /usr/bin/webalizer2.pl
17225 ? S 0:01 | | \_ webazolver -N15 -D
What does it mean?
"crond" forked the process shown here as CROND, which itself runs the stuff in
/etc/cron.daily like webalizer and a few other processes not shown in the
above excerpt.
It's now 5:33 am over here and one of my servers is showing 5x CROND as it
processes stuff from /etc/cron.daily like Webalizer, MRTG, Logcheck, SWAT and
so on.
--
With best regards,
Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer