Suspicious System Activity

Aart Koelewijn aart at mtack.xs4all.nl
Fri Feb 6 11:36:20 UTC 2009 

On Fri, 06 Feb 2009 10:56:13 +0000, Dake K. Odzangba wrote:

> On Friday 06 February 2009 10:23:42 Fajar Priyanto wrote:
>> On Fri, Feb 6, 2009 at 6:06 PM, Dake K. Odzangba <odzangba at gmail.com>
>> wrote:
>> > Hello, my system logs contain some pretty suspicious entries: Feb 6
>> > 09:57:20 mal-zeth nullmailer[13750]: Starting delivery: protocol:
>> > smtp host: mail. file: 1232786107.30076 Feb 6 09:57:26 mal-zeth
>> > nullmailer[31122]: smtp: Failed: Connect failed Feb 6 09:57:26
>> > mal-zeth nullmailer[13750]: Sending failed: Host not found Feb 6
>> > 09:57:26 mal-zeth nullmailer[13750]: Delivery complete, 5 message(s)
>> > remain.
>> >
>> > I have no idea what it's trying to send out and the same sequence
>> > repeats itself every two minutes or so. I'm freaking out here... has
>> > my system been compromised?
>>
>> First of all it fails to send whatever, so, at least less risk. Second,
>> do: last
>> It will list all login activities, see if you see suspicious. Third,
>> do:
>> sudo updatedb
>> locate one of the file: locate 1232786107.30076 Try what file it is and
>> the content.
>> Last, if you don't need nullmailer, uninstall it.
> 
> Thanks Fajar. Apparently the file is being mailed by the anacron daemon.
> 
>> Received: (nullmailer pid 30076 invoked by uid 0);
>>         Sat, 24 Jan 2009 08:35:07 -0000
>> From: Anacron <root at mal-zeth.mal-zeth> To: root at mal-zeth.mal-zeth
>> Subject: Anacron job 'cron.daily' on mal-zeth Date: Sat, 24 Jan 2009
>> 08:35:07 +0000 Message-Id:
>> <1232786107.261939.30075.nullmailer at mal-zeth>
>>
>> run-parts: /etc/cron.daily/apt exited with return code 1
> 
> I think the problem is it got the email address wrong... don't remember
> ever configuring any such thing. In fact, I don't even remember
> installing nullmailer. I think I'll just uninstall it.

I don't think you should uninstall nullmailer. If you try it will 
probably take essential packages like anacron with it. Some packages need 
a mail-transfer-agent to be able to inform you when something does not 
work like it should, nullmailer is the simplest mta there is and I 
suppose a minimal requirement when no other mta is installed.

You should find out why anacron is using a wrong email address. As far as 
I can remember it will usually use something like root at localhost. The 
address where it will send its mail can be found in /etc/crontab. On my 
box that is a simple "root". If anything more is in there you should take 
it out. Then in /etc/aliases you can set to whom mail for root should be 
delivered. It should have "root:	[your user name]" in there.

If after checking this, things still don't work, we can look further.

Aart

More information about the ubuntu-users mailing list