Root Crontab

r00n · November 13, 2018, 8:54pm

Just wondering how you guys detect root cronjobs running if you’re unable to access the root crontab? I’ve hit this several times. I found a bash script below that runs a ps -eo command and does a diff on the variables to catch running processes, but this doesn’t always seem to work. ( I would quote author, but I don’t remember where I found this.)

I just did the “Mercy” VM on vulnhub and ran into this, and just guessed that by the script contents that root was running them. I guessed right, but wanted to have a way to enumerate this correctly in the future rather than guessing.

Script:

#!/bin/bash
IFS=$‘\n’

old=$(ps -eo command)
while true; do
new=$(ps -eo command)
diff <( echo “$old” ) <( echo “$new” )
sleep 1
old=$new
done

ompamo · November 13, 2018, 9:10pm

Some time ago an user posted a tool that works quite well for that: GitHub - DominicBreuker/pspy: Monitor linux processes without root permissions

r00n · November 14, 2018, 5:53pm

This works great! Thanks @ompamo !!

Topic		Replies	Views
pspy - process monitoring / cron job detection Tools	30	19106	March 29, 2020
Forgot the name of binary in linux to see processes running Tools resolved	7	629	March 8, 2019
Root cronjobs Off-topic privesc , cron	1	713	September 21, 2017
script runs every second Machines cron , script , linux , scriptkiddie	4	691	March 31, 2021
Tool for enumerating timers and processes Off-topic	2	273	July 24, 2022

Root Crontab

Related topics