Join Log in
Score:0
Steve K avatar Server

Strange attempted emails from Cron

jm flag
Steve K

I use Zoho for my email client and last night I got a couple of notifications saying:

Warning! Unverified sender. The system could not verify if this email was sent by [email protected]. Do not click any links or open any attachments, if any, in this email.

The first one was the following:

subject: Cron <root@servername> test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
message: run-parts: /etc/cron.daily/do-agent exited with return code 100

and then about an hour later:

subject: Cron <root@servername>    cd / && run-parts --report /etc/cron.hourly
message: run-parts: /etc/cron.hourly/droplet-agent exited with return code 4

Not sure what to make of this. At first I thought someone gained access to my server. But I am not really sure. I am by no means an expert on the server side. This is just my DigitalOcean droplet that I do mostly development on and host a couple personal sites.

So since the message had run-parts: in it if figured I would check out the cron jobs. Here is the contents the cron.daily directory .placeholder apport apt-compat do-agent dpkg logrotate man-db and the cron.hourly folder has the following in it .placeholder droplet-agent. I don't see anything crazy here.

So then looking at the first email I see test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ). But I don't have anacron in my /usr/sbin/ directory.

Does anyone know what is going on here? Is this something I should be worried about? Why am I receiving these emails? I haven't done anything new on here in a quite a while so it's not like I added something new or anything like that.

Update:

Contents of /etc/cron.daily/do-agent

#!/bin/sh
/bin/bash /opt/digitalocean/do-agent/scripts/update.sh >/dev/null 2>&1

Contents of /opt/digitalocean/do-agent/scripts/update.sh

#!/bin/bash
# vim: noexpandtab

REPO_HOST=https://repos.insights.digitalocean.com
REPO_GPG_KEY_CURRENT=${REPO_HOST}/sonar-agent-current.asc

main() {
        # add some jitter to prevent overloading the packaging machines
        sleep $(( RANDOM % 900 ))

        export DEBIAN_FRONTEND="noninteractive"
        if command -v apt-get 2&>/dev/null; then
                curl -sL "${REPO_GPG_KEY_CURRENT}" | apt-key add -
                apt-get -qq update -o Dir::Etc::SourceParts=/dev/null -o APT::Get::List-Cleanup=no -o Dir::Etc::SourceL>
                apt-get -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" -qq install -y --only>
        elif command -v yum 2&>/dev/null; then
                rpm --import "${REPO_GPG_KEY_CURRENT}"
                yum -q -y --disablerepo="*" --enablerepo="digitalocean-agent" makecache
                yum -q -y update do-agent
        fi
}

main
115
1 + 6
Romeo Ninov avatar
in flag
Romeo Ninov
Check what is inside `/etc/cron.daily/do-agent`
0
Reply
Steve K avatar
jm flag
Steve K
@RomeoNinov I only have one thing in there `/bin/bash /opt/digitalocean/do-agent/scripts/update.sh >/dev/null 2>&1`
0
Reply
Romeo Ninov avatar
in flag
Romeo Ninov
Check what this script do: `/opt/digitalocean/do-agent/scripts/update.sh`
0
Reply
Steve K avatar
jm flag
Steve K
@RomeoNinov I have updated the question with the contents of these files
1
Reply
Paul avatar
cn flag
Paul
When a server is doing something and I don't understand why, the first thing I assume is I have misconfigured something.
0
Reply
Steve K avatar
jm flag
Steve K
@Paul do you have any insight into what that misconfiguration would be. I would have thought that if I had seen these emails right after I configured the server. But it has had the same configuration for months and this is the first and only time this happened.
0
Reply
Score:2
Romeo Ninov avatar Server
in flag
Romeo Ninov

There is nothing strange. The command check if you have /usr/sbin/anacron and if file do not exist or not executable run run-parts for daily cron. And usually cron send mail to root with the job results. If tou want to stop add as first line in cron.daily line like:

MAILTO=

Same about cron.hourly

+ 2
Steve K avatar
jm flag
Steve K
Thanks I appreciate it. I just kind of find it weird that its in the cron.daily and this is the first and only time I've seen these emails in my Zoho inbox. You would have thought it would be a frequent occurance but it was just once.
0
Reply
Romeo Ninov avatar
in flag
Romeo Ninov
@SteveK, maybe other mails was filtered by mail system. And for me this mail looks perfectly legitime (from cron)
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.