[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] CROND

Subject: Re: [cobalt-security] CROND
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Wed, 27 Nov 2002 05:34:45 +0100
Organization: SOLARSPEED.NET
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi Tom,

> I have a process running on one of my Raq4's called CROND.  Not to be
> mistaken with crond.
>
> root      4180  0.0  0.1  1156  536 ?        S    14:09   0:00 CROND
>
> I am unaware of what this process is. The latest chkrootkit shows no hacks.
> Any ideas of what this might be?

It's normal if this process is a child of the almighty crond and if it has 
childs itself. See a small excerpt of a "ps axf" output below:

 509 ?        S      0:00 crond
 3067 ?        S      0:00  \_ CROND
 3068 ?        S      0:00  |   \_ bash /usr/bin/run-parts /etc/cron.daily
10900 ?        S      0:00  |   |   \_ sh /etc/cron.daily/webalizer.pl
10906 ?        S      0:00  |   |       \_ perl /usr/bin/webalizer2.pl
17225 ?        S      0:01  |   |           \_ webazolver -N15 -D

What does it mean?

"crond" forked the process shown here as CROND, which itself runs the stuff in 
/etc/cron.daily like webalizer and a few other processes not shown in the 
above excerpt.

It's now 5:33 am over here and one of my servers is showing 5x CROND as it 
processes stuff from /etc/cron.daily like Webalizer, MRTG, Logcheck, SWAT and 
so on.

-- 

With best regards,

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer

References:
- [cobalt-security] CROND
  - From: Skyhound Internet

Prev by Date: RE: [cobalt-security] CROND
Next by Date: Re: [cobalt-security] CROND
Previous by thread: RE: [cobalt-security] CROND
Next by thread: Re: [cobalt-security] CROND

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index