Two days ago I've got an email from the guy who works for my dad. He wrote that his crontab entries went away. Instead his crontab had only one entry 'rm -rf /path/to/website/root/' which was supposed to be run on 1st January (he-he, happy New Year). I help my dad to admin his company website server so I was asked to look into this incident.
Damn, at first moment I though that we've been hacked but later research showed that it was "insider"'s work. An ex-employer still had account on this web server and moreover he still had permissions to use sudo to switch to root. It was dumb luck that he was so clueless that he overwrote crontab instead of adding new entry or making another better hidden time bomb. And of course with root right he could do much more harm. Apparently he did editing of some server logs to hide what he have done but he forgot to delete his ~/.bash_history :).
