Root Crontab

Just wondering how you guys detect root cronjobs running if you’re unable to access the root crontab? I’ve hit this several times. I found a bash script below that runs a ps -eo command and does a diff on the variables to catch running processes, but this doesn’t always seem to work. ( I would quote author, but I don’t remember where I found this.)

I just did the “Mercy” VM on vulnhub and ran into this, and just guessed that by the script contents that root was running them. I guessed right, but wanted to have a way to enumerate this correctly in the future rather than guessing.

Script:

#!/bin/bash
IFS=$’\n’

old=$(ps -eo command)
while true; do
new=$(ps -eo command)
diff <( echo “$old” ) <( echo “$new” )
sleep 1
old=$new
done

Some time ago an user posted a tool that works quite well for that: GitHub - DominicBreuker/pspy: Monitor linux processes without root permissions

This works great! Thanks @ompamo !!