[renpar61]

I posted this problem in the MacOS forum, and as it progresses, I thought I should also post here to see if I can find more help:
Somehow some malicious program or script is adding entries on my root crontab at startup, which randomly launch System Profiler and Explorer, bringing those windows active every minute, and also killing other open applications. The result is that the computer is almost unusable. I can clearly see all the entries with Cronnix and I can delete them. The computer is OK after deleting the entries.
I would need some help to try to find what exactly can cause the crontab to be modified again at every startup. Is there any log that would tell me this? Can I use the terminal to monitor when the process is kicking in?
Thanks again for your suggestions.

[suthercd]

You can examine you system.log with the Console.app in Utilities folder. Open Console and click on the Logs icon on the top right. Scroll down the list to /var/log, click the triangle to display this directory's contents. System.log will contain the log data since your last restart or since the logs have been last rotated (usually done by a cron process between 3 and 5 AM if your machine is awake at the time). There are past logs archived in the list and selecting one will decompress it. Browsing through the data should give you clues about your situation.

You've probably already checked in /Library/StartupItems and ~/Library/StartupItems for suspect files. If not, check there. There is also a root access startup folder located in /System/Library/StartupItems. That is only modified by a System Software Update, Security Update, the like. Mods to /Library and /System would have required your password when made.

There should be only 3 tasks in the cron file by default- handled by scripts named daily, weekly, and monthly. These handle scheduled system maintenance tasks. If cron tasks are required by a user, the way to handle that is with a cron file located in /private/var/cron/tabs/username. Cronnix is a shareware utility that lets you view and edit your cron file or the system cron. You could also view/edit them with vi or other built in text editors.

HTH
Craig

[proton]

Just like I've already said in your other thread, this:
/System/Library/StartupItems/PostGrep
should not be there and is very suspicious.

Please get us the contents of the file so we can work out what's going on!

- proton

[utidjian]

I have read your other thread... that is, IMO, some seriously screwed up system.

To bad Apple doesn't have a util (yet) like RPM where one can scan through ALL system packages and verify their "correctness" (MD5, time, size, permissions, etc). All you can do is run Repair Permissions or Verify Permissions. Which would be interesting to do BTW.

There are a number of startup scripts that are run as the system starts located in /etc/. They are /etc/rc, /etc/rc.boot and /etc/rc.common. These are run before Startup Items. You can take a look at them with a text editor (or just 'less /etc/rc' in the Terminal). Not sure if what you see will be much use to you unless you understand shell scripts.

Personally, at this point I would back up all my data and re-install the system. If I had a replacement disk I would take the "problem" disk offline and only mount it read-only to try and determine what went wrong... if there is in fact a trojan of some sort on it.

Unfortunately with a disk that may have been compromised to the level that some sort of startup scripts are being run at the root level you can no longer trust any of the programs and utilities on that disk. Even the Finder or ls or top may have been replaced with hacked versions that are hiding things from you.

[P]

One way to get around the problem would be to lock the crontab in question, by using either the user immutable or system immutable flags. The command is "chflags" and the flags in question are "uchg" or "schg". The first is like locking the file in OS 9 - can't modify until you remove the flag. The second is the same except you have to boot into single user mode to remove the flag. The syntax is:

setflags uchg filename

for the user immutable flag.

[renpar61]

First of all I want to thank everyone for their help. You don't know how much I appreciate it.

Proton was right on target,
/System/Library/StartupItems/PostGrep
was the culprit. I couldn't retrieve much information about it, but I isolated it first, try rebooting, and the problem is gone. So I deleted it. I tried restarting a few times to double check and everything is OK. Now I have an empty root crontab, as it should be.
Maybe I should be concerned and try to understand what or who put it there, but I'm so happy to have my iBook back that I probably won't bother.

Thanks again!!!

[utidjian]

Originally posted by renpar61:
First of all I want to thank everyone for their help. You don't know how much I appreciate it.

Proton was right on target,
/System/Library/StartupItems/PostGrep
was the culprit. I couldn't retrieve much information about it, but I isolated it first, try rebooting, and the problem is gone. So I deleted it. I tried restarting a few times to double check and everything is OK. Now I have an empty root crontab, as it should be.
Maybe I should be concerned and try to understand what or who put it there, but I'm so happy to have my iBook back that I probably won't bother.

Thanks again!!!

Shame you deleted it... would have been interesting to look it over. Did you ever install a database like PostgreSQL or an email MTA like postfix? Google hits on "postgrep" seem to mainly come up as postfix or PostgreSQL related.