Suspicious System Activity

Dake K. Odzangba odzangba at gmail.com
Fri Feb 6 12:37:25 UTC 2009 

On Friday 06 February 2009 11:36:20 Aart Koelewijn wrote:
> On Fri, 06 Feb 2009 10:56:13 +0000, Dake K. Odzangba wrote:
> > On Friday 06 February 2009 10:23:42 Fajar Priyanto wrote:
> >> On Fri, Feb 6, 2009 at 6:06 PM, Dake K. Odzangba <odzangba at gmail.com>
> >>
> >> wrote:
> >> > Hello, my system logs contain some pretty suspicious entries: Feb 6
> >> > 09:57:20 mal-zeth nullmailer[13750]: Starting delivery: protocol:
> >> > smtp host: mail. file: 1232786107.30076 Feb 6 09:57:26 mal-zeth
> >> > nullmailer[31122]: smtp: Failed: Connect failed Feb 6 09:57:26
> >> > mal-zeth nullmailer[13750]: Sending failed: Host not found Feb 6
> >> > 09:57:26 mal-zeth nullmailer[13750]: Delivery complete, 5 message(s)
> >> > remain.
> >> >
> >> > I have no idea what it's trying to send out and the same sequence
> >> > repeats itself every two minutes or so. I'm freaking out here... has
> >> > my system been compromised?
> >>
> >> First of all it fails to send whatever, so, at least less risk. Second,
> >> do: last
> >> It will list all login activities, see if you see suspicious. Third,
> >> do:
> >> sudo updatedb
> >> locate one of the file: locate 1232786107.30076 Try what file it is and
> >> the content.
> >> Last, if you don't need nullmailer, uninstall it.
> >
> > Thanks Fajar. Apparently the file is being mailed by the anacron daemon.
> >
> >> Received: (nullmailer pid 30076 invoked by uid 0);
> >>         Sat, 24 Jan 2009 08:35:07 -0000
> >> From: Anacron <root at mal-zeth.mal-zeth> To: root at mal-zeth.mal-zeth
> >> Subject: Anacron job 'cron.daily' on mal-zeth Date: Sat, 24 Jan 2009
> >> 08:35:07 +0000 Message-Id:
> >> <1232786107.261939.30075.nullmailer at mal-zeth>
> >>
> >> run-parts: /etc/cron.daily/apt exited with return code 1
> >
> > I think the problem is it got the email address wrong... don't remember
> > ever configuring any such thing. In fact, I don't even remember
> > installing nullmailer. I think I'll just uninstall it.
>
> I don't think you should uninstall nullmailer. If you try it will
> probably take essential packages like anacron with it. Some packages need
> a mail-transfer-agent to be able to inform you when something does not
> work like it should, nullmailer is the simplest mta there is and I
> suppose a minimal requirement when no other mta is installed.
>
> You should find out why anacron is using a wrong email address. As far as
> I can remember it will usually use something like root at localhost. The
> address where it will send its mail can be found in /etc/crontab. On my
> box that is a simple "root". If anything more is in there you should take
> it out. Then in /etc/aliases you can set to whom mail for root should be
> delivered. It should have "root:	[your user name]" in there.
>
> If after checking this, things still don't work, we can look further.
>

> Aart
Hmm,,, I've already uninstalled nullmailer. It took mailx down with it and when I reinstalled mailx, exim4 tagged along. But FWIW:

less /etc/crontab
> SHELL=/bin/sh
> PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
>
> # m h dom mon dow user  command
> 17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
> 25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts
> --report /etc/cron.daily ) 47 6    * * 7   root    test -x
> /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6  
>  1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report
> /etc/cron.monthly ) #

less /etc/anacrontab
> SHELL=/bin/sh
> PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
>
> # These replace cron's entries
> 1       5       cron.daily       nice run-parts --report /etc/cron.daily
> 7       10      cron.weekly      nice run-parts --report /etc/cron.weekly
> @monthly        15      cron.monthly nice run-parts --report
> /etc/cron.monthly

less /etc/aliases
> # Added by installer for initial user
> root:   oj
> clamav: root

Everything seems to be in order.

-- 
Odzangba,
Blog: http://odzangba.wordpress.com
Registered Linux User #431909
Registered Linux Machines: #337242 #363374 #392526
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20090206/0aa9826b/attachment.html>

More information about the ubuntu-users mailing list