• Registered: 2010-01-18
  • Posts: 4

Topic: Where did my cron job go?

Hi. I have a ttylinux box (epia embedded with 128Mb flash) which looks after the central heating in a remote building. I log on using SSH to edit the cron jobs which switch the boiler on and off. A little while ago I lost contact with the box and had to get the system (box and router) re-booted by a helpful neighbour. Crontab had changed from my jobs to a single one which was:
* * * * * /usr/etc/.font-unix/update >dev/null 2>&1
My question, please, is where did my cron jobs go to and where did this new one come from and what does it think it's doing every minute?
Thanks
--
Richard

  • From: the ether
  • Registered: 2008-11-14
  • Posts: 531

Re: Where did my cron job go?

Wow. Weird. I have no idea. There is no /usr/etc/.font-unix/update in ttylinux; not at all, unless it is some pollution from my host (I'll check into that).

All I can think of is searching with google to see if ".font-unix" is somehow related to a busybox /usr/sbin/crond or /usr/bin/crontab program.

Very strange.

douglas's Website

  • From: Colorado Springs
  • Registered: 2011-01-09
  • Posts: 19

Re: Where did my cron job go?

You might consider disconnecting this box from your network until you can figure out what this is. 

what's the ownership of the directory and file?
can you inspect update to see if it's a script?  If so, what's it doing?

I just went looking, found one other person who'd asked about such a directory; the respondent said it was part of xfs, the X font server.  I just inspected the package at the XFree86 site, and there's no such file or directory in it, or created in the Makefile that I can discern.  Based on the obscurity of the placement, the lack of consistency with where it should come from, and the circumstances of its discovery, I'd treat it with much suspicion.  Oh, I also inspected my 12.4 i686 ttylinux install, and it has no such animal...

  • From: the ether
  • Registered: 2008-11-14
  • Posts: 531

Re: Where did my cron job go?

I agree with the suspicion. Move this file to some other place and see what sort of file it is and what it is doing. I think your system has been hacked. You didn't leave the ttylinux default passwords in place, did you? Check /var/log/messages for activity around the time you lost contact with the system.

douglas's Website

  • Registered: 2010-01-18
  • Posts: 4

Re: Where did my cron job go?

Thanks, folks. You are quite right, the system had been hacked and the .font-unix directory had a whole bunch of scripts in it including one which over-wrote my cron jobs with its own. I can't work out what many of the others do so have just removed them.
Now it's embarassment time. I didn't expect my little central heating controller to be used as a stepping stone to world domination and so had left the default password in place. Stupid me! I'll go and stare at a Windows screen for an hour in penance...

  • From: Colorado Springs
  • Registered: 2011-01-09
  • Posts: 19

Re: Where did my cron job go?

This may sound paranoid, but better safe than sorry...

If the hacker had ssh access, they also had scp access, and therefore the ability to upload files, and not just scripts.  I think you should do a fresh ttylinux install, offline, then reinstall your applications and scripts, and <ominous echo>SECURE THE ACCOUNTS</ominous echo> before reconnecting to your LAN.  They may have put a keylogger on your box, disguised as one of the standard daemons. 

If you have a capable router, you may be able to run tcpdump or somesuch on it to see reporting traffic from malware.  At any rate, don't just assume the .font-unix/ scripts were "it"...

  • Registered: 2010-01-18
  • Posts: 4

Re: Where did my cron job go?

Indeed, paranoia is the new me...
There is another copy of the .font-unix scripts in  /root/sl/e and both directories contain an executable called crond which is larger than that in /usr/sbin. As soon as I can get to the remote site to do so I will reinstall ttylinux and I promise I WILL secure the accounts!
Now, what other silly security blunders have I made elsewhere? I guess I should learn a lesson from this - it *can* happen to me!