[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

/tmp/.h/update >/dev/null - what's that?


on one of our servers (Debian Lenny) i found this strange lines in the syslog:
Sep 13 06:31:01 samba2 /USR/SBIN/CRON[3455]: (tmp) CMD (/tmp/.h/update >/dev/null 2>&1) Sep 13 06:32:01 samba2 /USR/SBIN/CRON[3466]: (tmp) CMD (/tmp/.h/update >/dev/null 2>&1) Sep 13 06:33:01 samba2 /USR/SBIN/CRON[3476]: (tmp) CMD (/tmp/.h/update >/dev/null 2>&1)
and so on.

The cronjob is initiated from /var/spool/cron/crontabs/tmp:
 # DO NOT EDIT THIS FILE - edit the master and reinstall.
 # (cron.d installed on Tue Jul 14 10:33:55 2009)
 # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
 * * * * * /tmp/.h/update >/dev/null 2>&1

/tmp/.h/update does not exist. User "tmp" is used for samba mapping only. It's home is in /home/tmp, which doesn't exist neither.

Any idea where this cronjob could be from? Could this be an indication of hack attempt / root kit?

Any help would be much appreciated!

Reply to: