I have crontabs running as the default ubuntu user. Just today I noticed that my entire crontab was deleted and replaced with the usual boilerplate, as what happens if you execute crontab -r
Some log entries of note:
/var/log/syslog
Mar 15 14:45:18 localhost crontab[4732]: (ubuntu) DELETE (ubuntu)
/var/log/auth.log
Mar 15 14:46:02 localhost sshd[4793]: Connection closed by 127.0.0.1 [preauth]
Mar 15 14:48:16 localhost sshd[4901]: Connection closed by 127.0.0.1 [preauth]
This is a EC2 server behind a security group. SSH is key restricted to only my IP.
I have support staff who perform some actions using webmin. There are logs of one staff member executing cronjobs manually around 11:00, but nothing between 11:00 and 14:45
.bash_history for ubuntu user doesn't show anything.
How could I find out what deleted the crontab? Could it be a bug in webmin that caused a long running cron execution to corrupt the crontab file? I didn't have file system auditing enabled in webmin.
