有人知道这是什么意思? 在一个用户的收件箱中获取这些每一分钟之一:
From: Cron Daemon <[email protected]> Subject: Cron <joe@mail> /tmp/.d/update >/dev/null 2>&1 To: [email protected] Received: from murder ([unix socket]) by mail.domain.com (Cyrus v2.2.12-OS X 10.3) with LMTPA; Tue, 04 May 2010 10:35:00 -0700 shell-init: could not get current directory: getcwd: cannot access parent directories: Permission denied job-working-directory: could not get current directory: getcwd: cannot access parent directories: Permission denied 注意:在开始这些错误之前,此用户的密码已由Workgroup Manager更改。 我们必须更改密码,因为用户无法login到他们的帐户。 现在用户可以login并发送/接收邮件…但是我们每分钟都收到这些Cron Daemon邮件?
注2:/ tmp /的内容(不知道这些来自哪里?黑客攻击?)
drwxrwxrwt 6 root wheel 204 4 May 12:05 . drwxr-xr-x 5 root wheel 170 4 May 07:37 .. -rw------- 1 joe wheel 12288 4 May 12:05 .crontab.FMpeV8DU4U.swp drwxr-xr-x 20 joe wheel 680 4 May 09:00 .d -rw------- 1 joe staff 41 4 May 12:05 crontab.FMpeV8DU4U drwx------ 2 joe wheel 68 4 May 12:05 v5792 srwxrwxrwx 1 root wheel 0 4 May 07:38 ARD_ABJMMRT -rw-r--r-- 1 root wheel 645 4 May 07:39 mcx_compositor -rw-r--r-- 1 root wheel 3413 4 May 08:46 users.txt
mail:/tmp/.d bob $ ls -al共计1128
drwxr-xr-x 20 joe wheel 680 4 May 09:00 . drwxrwxrwt 6 root wheel 204 4 May 12:05 .. -rwxr-xr-x 1 joe wheel 250 4 May 12:00 1 -rwxr-xr-x 1 joe wheel 250 4 May 12:00 2 -rwxr-xr-x 1 joe wheel 34 4 May 08:29 LinkEvents -rwxr-xr-x 1 joe wheel 317 30 Oct 2006 autorun -rwxr-xr-x 1 joe wheel 491112 23 Jul 2006 bash -rw-r--r-- 1 joe wheel 41 4 May 08:28 cron.d -rw-r--r-- 1 joe wheel 1982 4 May 12:30 dorob.seen -rwxr-xr-x 1 joe wheel 22465 23 Jul 2006 m.help -rwxr-xr-x 1 joe wheel 1022 4 May 12:00 m.levels -rw------- 1 joe wheel 4 4 May 08:28 m.pid -rw-r--r-- 1 joe wheel 871 4 May 12:00 m.session -rwxr-xr-x 1 joe wheel 1244 4 May 08:28 m.set -rw-r--r-- 1 joe wheel 8 4 May 08:28 mech.dir drwxr-xr-x 11 joe wheel 374 26 Dec 2008 r -rwxr-xr-x 1 joe wheel 29 30 Oct 2006 run -rw-r--r-- 1 joe wheel 500 4 May 12:30 srjfs.seen -rwxr-xr-x 1 joe wheel 28 26 Dec 2008 start -rwxr--r-- 1 joe wheel 151 4 May 08:28 update
不知道这是否有帮助,但包括它,因为我不知道为什么它有… users.txt的内容:
mail:/tmp bob$ sudo more users.txt Password: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>imapRequests</key> <integer>11</integer> <key>popRequests</key> <integer>0</integer> <key>state</key> <string>RUNNING</string> <key>totalRequests</key> <integer>11</integer> <key>usersArray</key> <array> <dict> <key>connectionElapsedTime</key> <integer>1275</integer> <key>ipAddress</key> <string>10.1.10.181</string> <key>name</key> <string>jim</string> <key>number</key> <string>1</string> <key>type</key> <string>imap</string> </dict> ...repeat a few times... <dict> <key>connectionElapsedTime</key> <integer>1164</integer> <key>ipAddress</key> <string>241.114.25.183</string> <key>name</key> <string>bob</string> <key>number</key> <string>1</string> <key>type</key> <string>imap</string> </dict> ...repeat a few times... </array> </dict> </plist>
注3:
系统日志每2-3秒受到一次轰击:
May 4 12:30:45 mail sshd[7758]: /etc/sshd_config line 93: Deprecated option VerifyReverseMapping May 4 12:30:48 mail xinetd[352]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42) May 4 12:30:48 mail xinetd[352]: START: ssh pid=7760 from=211.210.42.102
鉴于/tmp/.d名称,我猜你已经被黑客攻击了。 我无法想象任何人会因为正常的原因而命名。
严格来说,这意味着脚本/tmp/.d/update由Joe的主目录中的cron运行,但是没有权限在脚本中指定的特定目录上运行。
cannot access parent directories: Permission denied
意味着它无法读取/写入脚本运行的目录之上的目录。
发布您的脚本。
当你以root身份手工运行脚本时,很可能你的脚本正在工作,但是默认情况下,脚本不能以root身份从cron运行。 你可以改变它,但是,在/etc/crontab添加用户名到你的命令中