A few days earlier, while I was helping my friend administer his VPS, I noticed a suspicious entry in
last command's output. To make sure nothing shady was running on the server, I ran
ps aux to list all the processes running and started inspecting the output. By pure coincidence, I noticed that there were two cron daemons running, one with the name cron and one with the name crond. The VPS was running Ubuntu Server 14.04 and I knew from experience that the one with the name cron should be the one running by default. So why was there a process named crond running as well?
To find the source of the
crond process, I started by running the
which crond command, but surprisingly got no output. By this time, I was sure that this process was fishy. To find the directory from where this process was running, I ran
pwdx with its pid. The output was:
<pid>: /tmp/ .
I immediately cd'ed to the /tmp/ directory.