Cron Issues?

[theonlydaleking]

getting this:

/etc/cron.daily/maldet:

/etc/cron.daily/maldet: line 56: syntax error near unexpected token `fi'
/etc/cron.daily/maldet: line 56: `fi'

alert on email. Checked the cron for syntax and it looks fine. could this be caused by a source script error?

[rfxn]

@waja any idea on this one, I am not seeing this myself but this is the second such report

[rfxn]

@theonlydaleking what distribution are you running maldet on, including OS release # please?

Thanks

[TheLastProject]

I can confirm this too, Debian 8 here.

[waja]

I'll have a look in my Debian 8 docker container.

[TheLastProject]

Oh, I forgot that I'm running this script on a Vesta system. For what that's worth. As in, the control panel.

[waja]

@theonlydaleking can you please have a look into: bash -x /etc/cron.daily/maldet in this case?

[waja]

After lot of testing, I'm also not able to reproduce this (in my clean Debian 8 docker env). Anyway ... shellcheck has some warnings:

# shellcheck -s bash /etc/cron.daily/maldet

In /etc/cron.daily/maldet line 14:
    source $cnf
               ^-- SC2086: Double quote to prevent globbing and word splitting.


In /etc/cron.daily/maldet line 16:
            source $compatcnf
                       ^-- SC2086: Double quote to prevent globbing and word splitting.


In /etc/cron.daily/maldet line 30:
    . $cron_custom_conf
          ^-- SC2086: Double quote to prevent globbing and word splitting.


In /etc/cron.daily/maldet line 42:
      $find $dir -type f -mtime +7 -print0 | xargs -0 rm -f >> /dev/null 2>&1
                ^-- SC2086: Double quote to prevent globbing and word splitting.


In /etc/cron.daily/maldet line 49:
    sleep $(echo $RANDOM | cut -c1-3) >> /dev/null 2>&1
              ^-- SC2046: Quote this to prevent word splitting.


In /etc/cron.daily/maldet line 63:
if [ "$(ps -A --user root -o "cmd" | grep maldetect | grep inotifywait)" ]; then
     ^-- SC2143: Instead of [ -n $(foo | grep bar) ], use foo | grep -q bar .
        ^-- SC2009: Consider using pgrep instead of grepping ps output.


In /etc/cron.daily/maldet line 95:
                $inspath/maldet -b -r ${conf_hosting_path:-/var/www/sites}/?/?/subdomains/?/html/ $scan_days >> /dev/null 2>&1
                                      ^-- SC2086: Double quote to prevent globbing and word splitting.


In /etc/cron.daily/maldet line 103:
    . $cron_custom_exec
          ^-- SC2086: Double quote to prevent globbing and word splitting.

[theonlydaleking]

@rfxn running this on Centos 6.8 with a cpanel distribution (WHM 56.0 (build 24)) if that helps

Ran the script with -x but I'm not sure what i'm looking for. do you need the output?

[rfxn]

@theonlydaleking yes pleae, output of bash -x /etc/cron.daily/maldet

[rfxn]

@theonlydaleking can you also md5sum the /etc/cron.daily/maldet file please

[theonlydaleking]

root@web [/var/log]# bash -x /etc/cron.daily/maldet
+ export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/opt/MegaRAID/MegaCli:/root/bin
+ PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/opt/MegaRAID/MegaCli:/root/bin
+ export LMDCRON=1
+ LMDCRON=1
+ inspath=/usr/local/maldetect
+ intcnf=/usr/local/maldetect/internals/internals.conf
+ '[' -f /usr/local/maldetect/internals/internals.conf ']'
+ source /usr/local/maldetect/internals/internals.conf
++ inspath=/usr/local/maldetect
++ intcnf=/usr/local/maldetect/internals/internals.conf
++ libpath=/usr/local/maldetect/internals
++ intfunc=/usr/local/maldetect/internals/functions
++ logdir=/usr/local/maldetect/logs
++ confpath=/usr/local/maldetect
++ cnffile=conf.maldet
++ cnf=/usr/local/maldetect/conf.maldet
++ varlibpath=/usr/local/maldetect
++ maldet_log=/usr/local/maldetect/logs/event_log
++ clamscan_log=/usr/local/maldetect/logs/clamscan_log
+++ date +%y%m%d-%H%M
++ datestamp=160706-1752
+++ date +%s
++ utime=1467791558
++ wget_timeout=5
++ wget_retries=3
+++ which wget
++ wget=/usr/bin/wget
+++ echo linux-gnu
+++ grep -i freebsd
++ '[' '' ']'
+++ which md5sum
++ md5sum=/usr/bin/md5sum
+++ which hosted
++ hostid=/usr/bin/hostid
++ '[' /usr/bin/hostid ']'
+++ /usr/bin/hostid
+++ /usr/bin/md5sum
+++ awk '{print$1}'
++ hostid=eae813b1cd9b7ec10c1281d2db11f1fe
++ storename_prefix=eae813b1cd9b7ec10c1281d2db11f1fe.21153
+++ which od
++ od=/usr/bin/od
+++ which find
++ find=/bin/find
+++ which perl
++ perl=/usr/bin/perl
+++ which nice
++ nice=/bin/nice
+++ which cpulimit
++ cpulimit=
+++ which ionic
++ ionice=/usr/bin/ionice
+++ which wc
++ wc=/usr/bin/wc
+++ which mail
++ mail=/bin/mail
+++ which pidof
++ pidof=/sbin/pidof
+++ which stat
++ stat=/usr/bin/stat
+++ which logger
++ logger=/bin/logger
+++ which clamdscan
++ clamdscan=
++ ignore_paths=/usr/local/maldetect/ignore_paths
++ ignore_sigs=/usr/local/maldetect/ignore_sigs
++ ignore_inotify=/usr/local/maldetect/ignore_inotify
++ ignore_file_ext=/usr/local/maldetect/ignore_file_ext
++ quardir=/usr/local/maldetect/quarantine
++ sessdir=/usr/local/maldetect/sess
++ sigdir=/usr/local/maldetect/sigs
++ cldir=/usr/local/maldetect/clean
++ tmpdir=/usr/local/maldetect/tmp
++ userbasedir=/usr/local/maldetect/pub
++ hits_history=/usr/local/maldetect/sess/hits.hist
++ quar_history=/usr/local/maldetect/sess/quarantine.hist
++ sig_version_file=/usr/local/maldetect/sigs/maldet.sigs.ver
++ '[' -f /usr/local/maldetect/sigs/maldet.sigs.ver ']'
+++ cat /usr/local/maldetect/sigs/maldet.sigs.ver
++ sig_version=2016063019179
++ sig_version_url=http://cdn.rfxn.com/downloads/maldet.sigs.ver
++ sig_sigpack_url=http://cdn.rfxn.com/downloads/maldet-sigpack.tgz
++ sig_clpack_url=http://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
++ sig_md5_file=/usr/local/maldetect/sigs/md5v2.dat
++ sig_hex_file=/usr/local/maldetect/sigs/hex.dat
++ sig_cav_hex_file=/usr/local/maldetect/sigs/rfxn.ndb
++ sig_cav_md5_file=/usr/local/maldetect/sigs/rfxn.hdb
++ sig_cust_md5_file=/usr/local/maldetect/sigs/custom.md5.dat
++ sig_cust_hex_file=/usr/local/maldetect/sigs/custom.hex.dat
++ lmd_versionsion_file=/usr/local/maldetect/VERSION
++ lmd_version=
++ lmd_referer=LMD::eae813b1cd9b7ec10c1281d2db11f1fe
++ lmd_hash_file=/usr/local/maldetect/internals/VERSION.hash
++ lmd_hash_url=http://cdn.rfxn.com/downloads/maldet.current.hash
++ lmd_version_url=http://www.rfxn.com/downloads/maldet.current.ver
++ clamav_paths='/usr/local/cpanel/3rdparty/share/clamav/ /var/lib/clamav/ /var/clamav/ /usr/share/clamav/ /usr/local/share/clamav'
++ tlog=/usr/local/maldetect/internals/tlog
+++ which inotifywait
++ inotify=
++ inotify_log=/usr/local/maldetect/logs/inotify_log
++ inotify_user_instances=128
++ inotify_trim=150000
++ hex_fifo_path=/usr/local/maldetect/internals/hexfifo
++ hex_fifo_script=/usr/local/maldetect/internals/hexfifo.pl
++ hex_string_script=/usr/local/maldetect/internals/hexstring.pl
++ scan_user_access_minuid=40
++ find_opts='-regextype posix-egrep'
++ email_template=/usr/local/maldetect/internals/scan.etpl
+++ hostname
++ email_subj='maldet alert from web.studiomatrix.com.au'
++ cron_custom_exec=/usr/local/maldetect/cron/custom.cron
++ cron_custom_conf=/usr/local/maldetect/cron/conf.maldet.cron
++ compatcnf=/usr/local/maldetect/internals/compat.conf
+ '[' -f /usr/local/maldetect/conf.maldet ']'
+ source /usr/local/maldetect/conf.maldet
++ email_alert=1
++ email_addr=webmaster@studiomatrix.com.au
++ email_ignore_clean=0
++ autoupdate_signatures=1
++ autoupdate_version=1
++ autoupdate_version_hashed=1
++ import_config_url=
++ import_custsigs_md5_url=
++ import_custsigs_hex_url=
++ scan_max_depth=15
++ scan_min_filesize=24
++ scan_max_filesize=768k
++ scan_hexdepth=65536
++ scan_hexfifo=1
++ scan_hexfifo_depth=524288
++ scan_clamscan=1
++ scan_tmpdir_paths='/tmp /var/tmp /dev/shm'
++ scan_user_access=0
++ scan_cpunice=19
++ scan_ionice=6
++ scan_cpulimit=0
++ scan_ignore_root=1
++ scan_ignore_user=
++ scan_ignore_group=
++ scan_find_timeout=0
++ scan_export_filelist=0
++ quarantine_hits=1
++ quarantine_clean=1
++ quarantine_suspend_user=0
++ quarantine_suspend_user_minuid=500
++ inotify_base_watches=16384
++ inotify_sleep=30
++ inotify_reloadtime=3600
++ inotify_minuid=500
++ inotify_docroot=public_html
++ inotify_cpunice=18
++ inotify_ionice=6
++ inotify_cpulimit=0
++ string_length_scan=0
++ string_length=150000
+ '[' -f /usr/local/maldetect/internals/compat.conf ']'
+ source /usr/local/maldetect/internals/compat.conf
++ '[' '!' '' ']'
++ '[' '' ']'
++ '[' '!' 1 ']'
++ '[' '!' 0 ']'
++ '[' '!' 500 ']'
++ '[' '!' 15 ']'
++ '[' '!' 24 ']'
++ '[' '!' 768k ']'
++ '[' '!' 65536 ']'
++ '[' '!' 1 ']'
++ '[' '!' 524288 ']'
++ '[' '!' 1 ']'
++ '[' '!' '/tmp /var/tmp /dev/shm' ']'
++ '[' '!' 0 ']'
++ '[' '!' 40 ']'
++ '[' '!' 19 ']'
++ '[' '!' 30 ']'
++ '[' '!' public_html ']'
++ '[' '!' 18 ']'
++ '[' '!' /usr/local/maldetect/sigs/maldet.sigs.ver ']'
++ '[' '!' http://cdn.rfxn.com/downloads/maldet.sigs.ver ']'
++ '[' '!' 2016063019179 ']'
++ '[' '!' http://cdn.rfxn.com/downloads/maldet-sigpack.tgz ']'
++ '[' '!' http://cdn.rfxn.com/downloads/maldet-cleanv2.tgz ']'
++ '[' '!' /usr/local/maldetect/sigs/md5v2.dat ']'
++ '[' '!' /usr/local/maldetect/sigs/hex.dat ']'
++ '[' '!' /usr/local/maldetect/sigs/rfxn.ndb ']'
++ '[' '!' /usr/local/maldetect/sigs/rfxn.hdb ']'
++ '[' '!' /usr/local/maldetect/sigs/custom.md5.dat ']'
++ '[' '!' /usr/local/maldetect/sigs/custom.hex.dat ']'
++ '[' '!' '' ']'
++ '[' '' ']'
++ '[' '!' '' ']'
++ '[' '' ']'
++ '[' '!' /usr/local/maldetect/internals/VERSION.hash ']'
++ '[' '!' http://cdn.rfxn.com/downloads/maldet.current.hash ']'
++ '[' '!' http://www.rfxn.com/downloads/maldet.current.ver ']'
++ '[' '!' /usr/local/maldetect/internals/hexfifo ']'
++ '[' '!' /usr/local/maldetect/internals/hexstring.pl ']'
++ '[' '!' /usr/local/maldetect/internals/hexfifo.pl ']'
+ '[' -f /etc/sysconfig/maldet ']'
+ . /etc/sysconfig/maldet
+ '[' -f /usr/local/maldetect/cron/conf.maldet.cron ']'
+ . /usr/local/maldetect/cron/conf.maldet.cron
+ '[' -z '' ']'
+ scan_days=1
+ '[' /bin/find ']'
+ tmpdirs='/usr/local/maldetect/tmp /usr/local/maldetect/sess /usr/local/maldetect/quarantine /usr/local/maldetect/pub'
+ for dir in '$tmpdirs'
+ '[' -d /usr/local/maldetect/tmp ']'
+ /bin/find /usr/local/maldetect/tmp -type f -mtime +7 -print0
+ xargs -0 rm -f
+ for dir in '$tmpdirs'
+ '[' -d /usr/local/maldetect/sess ']'
+ /bin/find /usr/local/maldetect/sess -type f -mtime +7 -print0
+ xargs -0 rm -f
+ for dir in '$tmpdirs'
+ '[' -d /usr/local/maldetect/quarantine ']'
+ /bin/find /usr/local/maldetect/quarantine -type f -mtime +7 -print0
+ xargs -0 rm -f
+ for dir in '$tmpdirs'
+ '[' -d /usr/local/maldetect/pub ']'
+ /bin/find /usr/local/maldetect/pub -type f -mtime +7 -print0
+ xargs -0 rm -f
+ '[' 1 == 1 ']'
++ echo 3955
++ cut -c1-3
+ sleep 395
+ '[' 1 == 1 ']'
+ /usr/local/maldetect/maldet -d
+ '[' 1 == 1 ']'
+ /usr/local/maldetect/maldet -u
++ ps -A --user root -o cmd
++ grep maldetect
++ grep inotifywait
+ '[' '' ']'
+ '[' -d /home/virtual ']'
+ '[' -d /etc/psa ']'
+ '[' -d /usr/local/directadmin ']'
+ '[' -d /var/www/clients ']'
+ '[' -d /etc/webmin/virtual-server ']'
+ '[' -d /usr/local/ispmgr ']'
+ '[' -d /var/customers/webs ']'
+ '[' -d /usr/local/vesta ']'
+ '[' -d /usr/share/dtc ']'
+ /usr/local/maldetect/maldet -b -r '/home?/?/public_html/,/var/www/html/,/usr/local/apache/htdocs/' 1
+ '[' -f /usr/local/maldetect/cron/custom.cron ']'
+ . /usr/local/maldetect/cron/custom.cron
root@web [/var/log]#

[theonlydaleking]

and the md5sum

bddfc2f11ec5413a964b3c22de7ba833 /etc/cron.daily/maldet

Is that what you need? @rfxn

[waja]

@theonlydaleking this sleep 141 in line 49, but you reported an error in line 56, which might be related to the condition right after the sleep. Can you please repeat the bash -x /etc/cron.daily/maldet and wait? The script should progress after the sleep command. Thanks!

[theonlydaleking]

@waja ah yup my mistake, updated my comment above after sleep finished

[waja]

Hmm ... cool! In your output there is no nothing about your origin reported error.

[rfxn]

@theonlydaleking did this error happen only once or is it happening every day?

[errimp]

/etc/cron.daily/maldet updates itself while it's running.

If a new version is available /etc/cron.daily/maldet fail:

# /etc/cron.daily/maldet 
/etc/cron.daily/maldet: line 56: on: command not found
/etc/cron.daily/maldet: line 58: syntax error near unexpected token `fi'
/etc/cron.daily/maldet: line 58: `fi'

Update running script has unpredictable results.

[theonlydaleking]

It didn't happen last night so it looks like it might have been a once off thing, i'll keep an eye on it and keep you posted

[rfxn]

We can probably fix this by, on version updates, detect if the LMD_CRON variable is set, if so then break/exit out of the existing cron and re-execute it cleanly.

[rfxn]

This issue is fixed by latest release. If there are further reports of similar issues in the future, I will more aggressively check for / exit on updates during cron execution.

[nboisteault]

Hi,
I had this issue today :

/etc/cron.daily/maldet:
/etc/cron.daily/maldet: line 56: n: command not found
/etc/cron.daily/maldet: line 59: syntax error near unexpected token `fi'
/etc/cron.daily/maldet: line 59: `fi'

Then I ran the script again and I had no errors.

Linux Malware Detect v1.6.1
            (C) 2002-2017, R-fx Networks <proj@rfxn.com>
            (C) 2017, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

[halo44-de]

I must confirm this issue. Had it yesterday while updating from 1.6 to 1.6.1. OS Debian Jessie.

[hume1991]

I also had the problem to version 1.6.1.
No more error message.

etc/cron.daily/maldet:
/etc/cron.daily/maldet: line 56: n: command not found
/etc/cron.daily/maldet: line 59: syntax error near unexpected token fi' /etc/cron.daily/maldet: line 59: fi'
run-parts: /etc/cron.daily/maldet exited with return code 2.

Is the problem resolved?
Ubuntu 14.04.5 LTS.