I’ve seen multiple machines now that require you to “guess” some cron job that is hidden in root’s crontab. My respect to everyone who is clever enough to do this. Since I am not that gifted, I wrote a little tool to detect these things. Worked on shrek. Might be useful for other people as well, so here it is: GitHub - DominicBreuker/pspy: Monitor linux processes without root permissions
Basically it’s a little command line app that will scan
/proc/ regularly to find processes (with their cmdline). To scan in the right moment, it sets up lots of inotify file system watchers all over the system. Most importantly it watches
/usr, which many processes access on execution. Using the events as a trigger, it can catch many short-lived processes.
Once started, you will see most of the processes run on the system printed out on stdout, with PID, UID and cmdline. There is no guarantee though you don’t miss one.
Optionally, you can also print out the inotify events, which can give more information. But beware, there will be many.
The tool did work in my few experiments and also on Shrek, where is nicely finds the cron job. I would not say though it’s well tested