Suspicious System Activity
Dake K. Odzangba
odzangba at gmail.com
Fri Feb 6 10:56:13 UTC 2009
On Friday 06 February 2009 10:23:42 Fajar Priyanto wrote:
> On Fri, Feb 6, 2009 at 6:06 PM, Dake K. Odzangba <odzangba at gmail.com> wrote:
> > Hello, my system logs contain some pretty suspicious entries:
> > Feb 6 09:57:20 mal-zeth nullmailer[13750]: Starting delivery: protocol:
> > smtp host: mail. file: 1232786107.30076
> > Feb 6 09:57:26 mal-zeth nullmailer[31122]: smtp: Failed: Connect failed
> > Feb 6 09:57:26 mal-zeth nullmailer[13750]: Sending failed: Host not found
> > Feb 6 09:57:26 mal-zeth nullmailer[13750]: Delivery complete, 5
> > message(s) remain.
> >
> > I have no idea what it's trying to send out and the same sequence repeats
> > itself every two minutes or so. I'm freaking out here... has my system
> > been compromised?
>
> First of all it fails to send whatever, so, at least less risk.
> Second, do: last
> It will list all login activities, see if you see suspicious.
> Third, do:
> sudo updatedb
> locate one of the file: locate 1232786107.30076
> Try what file it is and the content.
> Last, if you don't need nullmailer, uninstall it.
Thanks Fajar. Apparently the file is being mailed by the anacron daemon.
> Received: (nullmailer pid 30076 invoked by uid 0);
> Sat, 24 Jan 2009 08:35:07 -0000
> From: Anacron <root at mal-zeth.mal-zeth>
> To: root at mal-zeth.mal-zeth
> Subject: Anacron job 'cron.daily' on mal-zeth
> Date: Sat, 24 Jan 2009 08:35:07 +0000
> Message-Id: <1232786107.261939.30075.nullmailer at mal-zeth>
>
> run-parts: /etc/cron.daily/apt exited with return code 1
I think the problem is it got the email address wrong... don't remember ever
configuring any such thing. In fact, I don't even remember installing
nullmailer. I think I'll just uninstall it.
--
Odzangba,
Blog: http://odzangba.wordpress.com
Registered Linux User #431909
Registered Linux Machines: #337242 #363374 #392526
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20090206/f39e52e1/attachment.html>
More information about the ubuntu-users
mailing list