有人知道这是什么意思吗?每分钟都会有一位用户的收件箱收到以下邮件之一:
From: Cron Daemon <[email protected]>
Subject: Cron <joe@mail> /tmp/.d/update >/dev/null 2>&1
To: [email protected]
Received: from murder ([unix socket]) by mail.domain.com (Cyrus v2.2.12-OS X 10.3) with LMTPA; Tue, 04 May 2010 10:35:00 -0700
shell-init: could not get current directory: getcwd: cannot access parent directories: Permission denied
job-working-directory: could not get current directory: getcwd: cannot access parent directories: Permission denied
笔记:在出现这些错误之前,该用户的密码已通过 Workgroup Manager 更改。我们不得不更改密码,因为用户无法登录其帐户。现在用户可以登录并发送/接收邮件...但我们每分钟都会收到这些 Cron Daemon 电子邮件?!?
注释2:/tmp/ 的内容(不知道这些内容来自哪里?被黑客入侵了?)
drwxrwxrwt 6 root wheel 204 4 May 12:05 .
drwxr-xr-x 5 root wheel 170 4 May 07:37 ..
-rw------- 1 joe wheel 12288 4 May 12:05 .crontab.FMpeV8DU4U.swp
drwxr-xr-x 20 joe wheel 680 4 May 09:00 .d
-rw------- 1 joe staff 41 4 May 12:05 crontab.FMpeV8DU4U
drwx------ 2 joe wheel 68 4 May 12:05 v5792
srwxrwxrwx 1 root wheel 0 4 May 07:38 ARD_ABJMMRT
-rw-r--r-- 1 root wheel 645 4 May 07:39 mcx_compositor
-rw-r--r-- 1 root wheel 3413 4 May 08:46 users.txt
邮件:/tmp/.d bob$ ls -al 总计 1128
drwxr-xr-x 20 joe wheel 680 4 May 09:00 .
drwxrwxrwt 6 root wheel 204 4 May 12:05 ..
-rwxr-xr-x 1 joe wheel 250 4 May 12:00 1
-rwxr-xr-x 1 joe wheel 250 4 May 12:00 2
-rwxr-xr-x 1 joe wheel 34 4 May 08:29 LinkEvents
-rwxr-xr-x 1 joe wheel 317 30 Oct 2006 autorun
-rwxr-xr-x 1 joe wheel 491112 23 Jul 2006 bash
-rw-r--r-- 1 joe wheel 41 4 May 08:28 cron.d
-rw-r--r-- 1 joe wheel 1982 4 May 12:30 dorob.seen
-rwxr-xr-x 1 joe wheel 22465 23 Jul 2006 m.help
-rwxr-xr-x 1 joe wheel 1022 4 May 12:00 m.levels
-rw------- 1 joe wheel 4 4 May 08:28 m.pid
-rw-r--r-- 1 joe wheel 871 4 May 12:00 m.session
-rwxr-xr-x 1 joe wheel 1244 4 May 08:28 m.set
-rw-r--r-- 1 joe wheel 8 4 May 08:28 mech.dir
drwxr-xr-x 11 joe wheel 374 26 Dec 2008 r
-rwxr-xr-x 1 joe wheel 29 30 Oct 2006 run
-rw-r--r-- 1 joe wheel 500 4 May 12:30 srjfs.seen
-rwxr-xr-x 1 joe wheel 28 26 Dec 2008 start
-rwxr--r-- 1 joe wheel 151 4 May 08:28 update
不确定这是否有用但包括它因为我不确定它为什么在那里...users.txt 的内容:
mail:/tmp bob$ sudo more users.txt
Password:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>imapRequests</key>
<integer>11</integer>
<key>popRequests</key>
<integer>0</integer>
<key>state</key>
<string>RUNNING</string>
<key>totalRequests</key>
<integer>11</integer>
<key>usersArray</key>
<array>
<dict>
<key>connectionElapsedTime</key>
<integer>1275</integer>
<key>ipAddress</key>
<string>10.1.10.181</string>
<key>name</key>
<string>jim</string>
<key>number</key>
<string>1</string>
<key>type</key>
<string>imap</string>
</dict>
...repeat a few times...
<dict>
<key>connectionElapsedTime</key>
<integer>1164</integer>
<key>ipAddress</key>
<string>241.114.25.183</string>
<key>name</key>
<string>bob</string>
<key>number</key>
<string>1</string>
<key>type</key>
<string>imap</string>
</dict>
...repeat a few times...
</array>
</dict>
</plist>
注3:
系统日志每隔 2-3 秒就会被这样的信息轰炸:
May 4 12:30:45 mail sshd[7758]: /etc/sshd_config line 93: Deprecated option VerifyReverseMapping
May 4 12:30:48 mail xinetd[352]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)
May 4 12:30:48 mail xinetd[352]: START: ssh pid=7760 from=211.210.42.102
答案1
鉴于 /tmp/.d 这个名称,我猜你已经被黑客入侵了。我无法想象有人会出于正常原因命名某个东西。
严格来说,这意味着脚本 /tmp/.d/update 由 cron 从 Joe 的主目录运行,但没有权限对脚本中指定的特定目录进行操作。
答案2
cannot access parent directories: Permission denied
意味着它无法读取/写入运行脚本的目录之上的目录。
发布你的脚本。
您的脚本很可能在您手动以 运行它时工作root
,但默认情况下,它不会以 运行root
。cron
但是,您可以通过在 中的命令中添加用户名来更改此设置/etc/crontab