<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"> <html><head><meta name="qrichtext" content="1" /><style type="text/css"> p, li { white-space: pre-wrap; } </style></head><body style=" font-family:'DejaVu Sans'; font-size:9pt; font-weight:400; font-style:normal;"> On Friday 06 February 2009 11:36:20 Aart Koelewijn wrote: > On Fri, 06 Feb 2009 10:56:13 +0000, Dake K. Odzangba wrote: > > On Friday 06 February 2009 10:23:42 Fajar Priyanto wrote: > >> On Fri, Feb 6, 2009 at 6:06 PM, Dake K. Odzangba <odzangba@gmail.com> > >> > >> wrote: > >> > Hello, my system logs contain some pretty suspicious entries: Feb 6 > >> > 09:57:20 mal-zeth nullmailer[13750]: Starting delivery: protocol: > >> > smtp host: mail. file: 1232786107.30076 Feb 6 09:57:26 mal-zeth > >> > nullmailer[31122]: smtp: Failed: Connect failed Feb 6 09:57:26 > >> > mal-zeth nullmailer[13750]: Sending failed: Host not found Feb 6 > >> > 09:57:26 mal-zeth nullmailer[13750]: Delivery complete, 5 message(s) > >> > remain. > >> > > >> > I have no idea what it's trying to send out and the same sequence > >> > repeats itself every two minutes or so. I'm freaking out here... has > >> > my system been compromised? > >> > >> First of all it fails to send whatever, so, at least less risk. Second, > >> do: last > >> It will list all login activities, see if you see suspicious. Third, > >> do: > >> sudo updatedb > >> locate one of the file: locate 1232786107.30076 Try what file it is and > >> the content. > >> Last, if you don't need nullmailer, uninstall it. > > > > Thanks Fajar. Apparently the file is being mailed by the anacron daemon. > > > >> Received: (nullmailer pid 30076 invoked by uid 0); > >> Sat, 24 Jan 2009 08:35:07 -0000 > >> From: Anacron <root@mal-zeth.mal-zeth> To: root@mal-zeth.mal-zeth > >> Subject: Anacron job 'cron.daily' on mal-zeth Date: Sat, 24 Jan 2009 > >> 08:35:07 +0000 Message-Id: > >> <1232786107.261939.30075.nullmailer@mal-zeth> > >> > >> run-parts: /etc/cron.daily/apt exited with return code 1 > > > > I think the problem is it got the email address wrong... don't remember > > ever configuring any such thing. In fact, I don't even remember > > installing nullmailer. I think I'll just uninstall it. > > I don't think you should uninstall nullmailer. If you try it will > probably take essential packages like anacron with it. Some packages need > a mail-transfer-agent to be able to inform you when something does not > work like it should, nullmailer is the simplest mta there is and I > suppose a minimal requirement when no other mta is installed. > > You should find out why anacron is using a wrong email address. As far as > I can remember it will usually use something like root@localhost. The > address where it will send its mail can be found in /etc/crontab. On my > box that is a simple "root". If anything more is in there you should take > it out. Then in /etc/aliases you can set to whom mail for root should be > delivered. It should have "root: [your user name]" in there. > > If after checking this, things still don't work, we can look further. > > Aart Hmm,,, I've already uninstalled nullmailer. It took mailx down with it and when I reinstalled mailx, exim4 tagged along. But FWIW: less /etc/crontab > SHELL=/bin/sh > PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin > > # m h dom mon dow user command > 17 * * * * root cd / && run-parts --report /etc/cron.hourly > 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts > --report /etc/cron.daily ) 47 6 * * 7 root test -x > /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 > 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report > /etc/cron.monthly ) # less /etc/anacrontab > SHELL=/bin/sh > PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin > > # These replace cron's entries > 1 5 cron.daily nice run-parts --report /etc/cron.daily > 7 10 cron.weekly nice run-parts --report /etc/cron.weekly > @monthly 15 cron.monthly nice run-parts --report > /etc/cron.monthly less /etc/aliases > # Added by installer for initial user > root: oj > clamav: root Everything seems to be in order. -- Odzangba, Blog: http://odzangba.wordpress.com Registered Linux User #431909 Registered Linux Machines: #337242 #363374 #392526</body></html>