/tmp/.h/update >/dev/null - what's that?

To: debian-user@lists.debian.org
Subject: /tmp/.h/update >/dev/null - what's that?
From: Till Wimmer <g4-lisz@tonarchiv.ch>
Date: Mon, 14 Sep 2009 20:26:14 +0200
Message-id: <[🔎] 4AAE8AC6.9090402@tonarchiv.ch>

Hi,

on one of our servers (Debian Lenny) i found this strange lines in thesyslog:

...

Sep 13 06:31:01 samba2 /USR/SBIN/CRON[3455]: (tmp) CMD (/tmp/.h/update>/dev/null 2>&1)Sep 13 06:32:01 samba2 /USR/SBIN/CRON[3466]: (tmp) CMD (/tmp/.h/update>/dev/null 2>&1)Sep 13 06:33:01 samba2 /USR/SBIN/CRON[3476]: (tmp) CMD (/tmp/.h/update>/dev/null 2>&1)

 ...
and so on.

The cronjob is initiated from /var/spool/cron/crontabs/tmp:
 # DO NOT EDIT THIS FILE - edit the master and reinstall.
 # (cron.d installed on Tue Jul 14 10:33:55 2009)
 # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
 * * * * * /tmp/.h/update >/dev/null 2>&1

/tmp/.h/update does not exist. User "tmp" is used for samba mappingonly. It's home is in /home/tmp, which doesn't exist neither.

Any idea where this cronjob could be from? Could this be an indicationof hack attempt / root kit?


Any help would be much appreciated!
Regards,
TW

Reply to:

Prev by Date: Re: debian in 64 bit
Next by Date: LVM logical volumes get deactivated on reboot
Previous by thread: Re: Status of snapshot.debian.net|org ?
Next by thread: LVM logical volumes get deactivated on reboot
Index(es):
- Date
- Thread