"* * * * * /tmp/.update startup" in my crontab

Ask Fedora
1

Hi all,

I’m working on Fedora Linux 43 (Workstation Edition). Then my terminal on my other monitor goes weird. Then my IDE goes away. Before the terminal went I see “mail for ghenry”, which is ultra-weird.

The email is:

Subject: Cron <xxx@gavins-desktop> /tmp/.update startup
Date: Fri, 20 Feb 2026 15:26:00 +0000

/bin/sh: line 1: /tmp/.update: No such file or directory

Open up contrab -e and see this

“* * * * * /tmp/.update startup”

cron logs show this job started at 14:57 today:

Feb 20 14:01:00 desktop run-parts[1380578]: (/etc/cron.hourly) starting 0anacron
Feb 20 14:01:00 desktop run-parts[1380584]: (/etc/cron.hourly) finished 0anacron
Feb 20 14:01:00 desktop CROND[1380574]: (root) CMDEND (run-parts /etc/cron.hourly)
Feb 20 14:57:36 desktop crontab[1399397]: (xx) LIST (xx)
Feb 20 14:57:36 desktop crontab[1399396]: (xx) REPLACE (xx)
Feb 20 14:58:00 desktop CROND[1399501]: (xx) CMD (/tmp/.update startup)
Feb 20 14:58:00 desktop CROND[1399499]: (xx) CMDEND (/tmp/.update startup)
Feb 20 14:59:00 desktop CROND[1399651]: (xx) CMD (/tmp/.update startup)
Feb 20 14:59:00 desktop CROND[1399643]: (xx) CMDEND (/tmp/.update startup)

Rebooted, things we’re working right about from Chrome. Nothing in /tmp/.update but I’m kinda crapping it like I’ve been compromised. I’ve checked passwd/users/other cron stuff.

Google showing me nothing for “* * * * * /tmp/.update startup”

Weird thing is I got a call from my “ISP” at 14:50 which I called back but says it’s closed. Call the main number for my ISP and they have no record, even though the Samsumb SPAM id says it was my ISP even with their logo. Very close to it. So obviously fake.

How did a crontab entry get created?

Thanks.

2

Hard to say what happened without the actual content of /tmp/.update. The fact that the file is hidden and that it was added to your crontab to run every minute makes me very suspiscious. But since you had the same reaction, I guess that won’t surprise you.

So that’s the crontab for your user, not root, correct?

You could take a look at the files in /var/spool/cron/crontabs/, run stat to get the mtime of the affected crontab. Maybe when the file was modified gives you a clue what happened, maybe there are logs from around that time, too, maybe you remember what you were doing, etc.

1 Like
3

Modern software will use systemd timers.

That a crontab was added is very concerning.

4

My terminal went. I couldn’t alt+FX to get another screen up. No choice but to reboot. I wonder if I’ve activated anything. That file was gone after the reboot. I’ll do an av scan, but still. I checked all the usual logs and my router logs. Will stay alert for top and iftop things, but if it’s that sophisticated, they might be replaced and other tools.

I did actually do a dnf search python in that terminal first and was installing some things via pip. May be a supply chain attack.

5

From your shell history, can you see which packages you installed from pip?

6 
 pip install -r requirements.txt
 pip install --upgrade setuptools
 pip install -r requirements.txt
 pip install ez_setup
 pip install unroll
 pip install -U pip
  .venv/bin/pip install gevent
  .venv/bin/pip install -r requirements.txt
  .venv/bin/pip install libsass

requirements.txt has:

six>=1.15.0
Werkzeug==2.0.3
Flask==2.0.3
Flask-Login
Flask-Redis
sqlalchemy<1.4
Flask-SQLAlchemy==2.5.1
Flask-QRcode
Pillow
boto3
bcrypt
phonenumbers
requests
stripe==13.0.1
python-dateutil
oslo.config
mysqlclient==2.2.4
libsass==0.14.5
sentry-sdk[flask]
inflect
ipaddress
pyotp==2.3.0
geoip2
protobuf==3.20.1
google-api-python-client
unicodecsv
pyOpenSSL==24.2.1
mandrill
dnspython
python-whois
whoosh
dropbox==10.2.0
urllib3
sendgrid==5.6.0
pywhois
oauth2client
twilio
gocardless-pro
google-auth
google-cloud-pubsub
google-cloud-storage
google-cloud-texttospeech
google-cloud-recaptcha-enterprise
html2text
pybase64
simplejson
msal
python-jose
pytz
cockroachdb==0.3.5
psycopg2-binary==2.9.10
UnleashClient
7

And with good reason! It can be used for privilege escalation, because any user can add a shell script to /tmp/.update which will the be run as another user.

8

These two are interesting:

https://www.joesandbox.com/index.php/analysis/1822612/0/pdf

Google search for "update startup" script cron

9

Yep:

sh (PID: 5458, Parent: 5431, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "(crontab -l 2>/dev/null; echo '* * * * * /usr/bin/.update startup') | crontab - 2>/dev/null"

but /tmp. Reading more. Still not sure where it came from.

10

Running clamscan now.

11

Had another thought of what I was doing at the time. For a customer project, I have to shutdown my local httpd and fire up nginx with their config. So that was running with some old rules in my router for forwarding port 80 and 443 (now removed). I see this in the nginx logs:

78.128.112.74 - - [20/Feb/2026:14:57:36 +0000] "SSH-2.0-Go" 400 157 "-" "-"

Then this in my cron logs:

Feb 20 14:57:36 desktop crontab[1399397]: (xxx) LIST (xxx) 
Feb 20 14:57:36 desktop crontab[1399396]: (xxx) REPLACE (xxx)

That must be it.

12 
rpm -q nginx
nginx-1.28.2-1.fc43.x86_64