Arch Linux

stupidmonkey

Member

Registered: 2025-04-30

Posts: 17

[SOLVED] polkit wants me to authenticate for nonexistant crond.service

A few days ago, every time I login after I boot, polkit tries to ask me to authenticate for crond.service (which doesn't exist), even though I have no cron related things installed on my computer at all. It crashes from early EOF immediately after showing up after I log into tty.

systemctl status polkit:

Apr 30 22:30:30 archlinux polkitd[1574]: Loading rules from directory /usr/share/polkit-1/rules.d
Apr 30 22:30:30 archlinux polkitd[1574]: Finished loading, compiling and executing 6 rules
Apr 30 22:30:30 archlinux systemd[1]: Started Authorization Manager.
Apr 30 22:30:30 archlinux polkitd[1574]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Apr 30 22:30:30 archlinux polkitd[1574]: Registered Authentication Agent for unix-process:1547:2250 (system bus name :1.23 [/usr/bin/pkttyagent --notify-fd 6 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Apr 30 22:30:31 archlinux polkitd[1574]: Operator of unix-process:1547:2250 FAILED to authenticate to gain authorization for action org.freedesktop.systemd1.manage-units for system-bus-name::1.21 [systemctl start crond.service] (owned by unix-user:monkey)
Apr 30 22:30:31 archlinux polkitd[1574]: Unregistered Authentication Agent for unix-process:1547:2250 (system bus name :1.23, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

Last edited by stupidmonkey (2025-05-03 19:28:56)

seth

Member

Registered: 2012-09-03

Posts: 63,247

Re: [SOLVED] polkit wants me to authenticate for nonexistant crond.service

No, it wants you to authenticate for "systemctl start", most likely you've something like this in your .[shell]rc / .*profile ?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

stupidmonkey

Member

Registered: 2025-04-30

Posts: 17

Re: [SOLVED] polkit wants me to authenticate for nonexistant crond.service

No, I've never added anything like that in my shell profile/settings and I couldn't find anything that has it in /etc/profile /etc/profile.d/ /etc/zsh/zprofile etc.

seth

Member

Registered: 2012-09-03

Posts: 63,247

Re: [SOLVED] polkit wants me to authenticate for nonexistant crond.service

grep -d skip crond ~/.* /etc/* /etc/profile.d/*

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

stupidmonkey

Member

Registered: 2025-04-30

Posts: 17

Re: [SOLVED] polkit wants me to authenticate for nonexistant crond.service

I get this:

/bin/grep: /etc/profile.d/bash.cfg: binary file matches

it is a binary file, so i missed it
idk what it does and no clue how it got there, what do i do with it? do just i deleted it?

stupidmonkey

Member

Registered: 2025-04-30

Posts: 17

Re: [SOLVED] polkit wants me to authenticate for nonexistant crond.service

pacman says that it isn't owned by any package so i deleted it

stupidmonkey

Member

Registered: 2025-04-30

Posts: 17

Re: [SOLVED] polkit wants me to authenticate for nonexistant crond.service

i rebooted twice and then it came back again

seth

Member

Registered: 2012-09-03

Posts: 63,247

Re: [SOLVED] polkit wants me to authenticate for nonexistant crond.service

Google has only malware hits for that, http://vms.drweb-av.de/virus/?i=28062427 (ignore the self-advert at the end) - do you also have the other files in that list (though seems consistent with your symptoms)

Curing recommendations

Nuke the system, start over, don't run shady stuff from the internet

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

stupidmonkey

Member

Registered: 2025-04-30

Posts: 17

Re: [SOLVED] polkit wants me to authenticate for nonexistant crond.service

yes i have many of those fiels, ive actually noticed /.mod before and ive deleted it before and it also comes back too... everthing in home directory should be fine right? ill delete everything else ig

stupidmonkey

Member

Registered: 2025-04-30

Posts: 17

Re: [SOLVED] polkit wants me to authenticate for nonexistant crond.service

other weird stuff that happened recently was that i coulndt log into as root and had to change passwd

but i dont remember anything i ran these past few days that couldve caused this

seth

Member

Registered: 2012-09-03

Posts: 63,247

Re: [SOLVED] polkit wants me to authenticate for nonexistant crond.service

You have to understand that the system has been compromised - it's not clear what has been altered, but something malicious had root acces to the system.

You can delete the malicious files and hope for the best, but the correct approach is to setup the system from scratch and do not add files from the old system (including your $HOME) unvetted - certainly nothing executable, but it could have compromised some config file that is parsed by some process to execute a configurable command.

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

stupidmonkey

Member

Registered: 2025-04-30

Posts: 17

Re: [SOLVED] polkit wants me to authenticate for nonexistant crond.service

oh no
my stystem is kind of a mess its kidna hard to reset
i cant reinstall yet bc i depend on my arch
ill get gentoo working first though
it might take a few months bc my computer so slow

seth

Member

Registered: 2012-09-03

Posts: 63,247

Re: [SOLVED] polkit wants me to authenticate for nonexistant crond.service

Did you reboot after removing those files and did they come back?
Did you check the CPU load?
Maybe the system has been slow because you were mining bitcoins…

It is not a very good idea to setup a new system on the same hardware that is also running a compromised system.
In theory the latter could scan your partitions for other OS and try to replicate itself there.

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

stupidmonkey

Member

Registered: 2025-04-30

Posts: 17

Re: [SOLVED] polkit wants me to authenticate for nonexistant crond.service

Did you reboot after removing those files and did they come back?
last time they did... but not this time
Did you check the CPU load?
yeah its normal
Maybe the system has been slow because you were mining bitcoins…
no my computer just sucks, it alwasy kinda slow

i deleted the files mentiod by dr web and reboot, this time they didnt respawn, i disabled quotan.service (which was part of the virus i think) and everything seems back to normal? ill just keep using arch unitil it comes back again
in the mean time im going to get gentoo working

i had a quick look, quotaon.service showed up as linux when booting with systemd, which i did notice before actually and it ran /boot/system.pub (which was another part of the virus but i didnt' read it) , and also /etc/profile.d/gateway.sh ran some weird stuff,

stupidmonkey

Member

Registered: 2025-04-30

Posts: 17

Re: [SOLVED] polkit wants me to authenticate for nonexistant crond.service

it might have been due to the fact that i set up ssh recently, and when i first setup my system my root password was 123456 and i never changed it...

seth

Member

Registered: 2012-09-03

Posts: 63,247

Re: [SOLVED] polkit wants me to authenticate for nonexistant crond.service

Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

Edit, more helpful than the meme: http://wiki.archlinux.org/title/OpenSSH#Protection

Last edited by seth (2025-05-03 06:09:22)

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc