FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 02-06-2009, 09:06 AM
"Dake K. Odzangba"
 
Default Suspicious System Activity

Hello, my system logs contain some pretty suspicious entries:



Feb 6 09:57:14 mal-zeth nullmailer[13750]: Rescanning queue.

Feb 6 09:57:14 mal-zeth nullmailer[13750]: Starting delivery: protocol: smtp host: mail. file: 1232179547.12146

Feb 6 09:57:20 mal-zeth nullmailer[31081]: smtp: Failed: Connect failed

Feb 6 09:57:20 mal-zeth nullmailer[13750]: Sending failed: Host not found

Feb 6 09:57:20 mal-zeth nullmailer[13750]: Starting delivery: protocol: smtp host: mail. file: 1232972820.23880

Feb 6 09:57:20 mal-zeth nullmailer[31112]: smtp: Failed: Connect failed

Feb 6 09:57:20 mal-zeth nullmailer[13750]: Sending failed: Host not found

Feb 6 09:57:20 mal-zeth nullmailer[13750]: Starting delivery: protocol: smtp host: mail. file: 1230018036.25053

Feb 6 09:57:20 mal-zeth nullmailer[31118]: smtp: Failed: Connect failed

Feb 6 09:57:20 mal-zeth nullmailer[13750]: Sending failed: Host not found

Feb 6 09:57:20 mal-zeth nullmailer[13750]: Starting delivery: protocol: smtp host: mail. file: 1233752295.23754

Feb 6 09:57:20 mal-zeth nullmailer[31121]: smtp: Failed: Connect failed

Feb 6 09:57:20 mal-zeth nullmailer[13750]: Sending failed: Host not found

Feb 6 09:57:20 mal-zeth nullmailer[13750]: Starting delivery: protocol: smtp host: mail. file: 1232786107.30076

Feb 6 09:57:26 mal-zeth nullmailer[31122]: smtp: Failed: Connect failed

Feb 6 09:57:26 mal-zeth nullmailer[13750]: Sending failed: Host not found

Feb 6 09:57:26 mal-zeth nullmailer[13750]: Delivery complete, 5 message(s) remain.



I have no idea what it's trying to send out and the same sequence repeats itself every two minutes or so. I'm freaking out here... has my system been compromised?



Some info about my system:

Ubuntu 8.10



uname -a:

Linux mal-zeth 2.6.27-11-generic #1 SMP Thu Jan 29 19:24:39 UTC 2009 i686 GNU/Linux



--

Odzangba,

Blog: http://odzangba.wordpress.com

Registered Linux User #431909

Registered Linux Machines: #337242 #363374 #392526
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 02-06-2009, 09:23 AM
Fajar Priyanto
 
Default Suspicious System Activity

On Fri, Feb 6, 2009 at 6:06 PM, Dake K. Odzangba <odzangba@gmail.com> wrote:
> Hello, my system logs contain some pretty suspicious entries:
> Feb 6 09:57:20 mal-zeth nullmailer[13750]: Starting delivery: protocol: smtp
> host: mail. file: 1232786107.30076
> Feb 6 09:57:26 mal-zeth nullmailer[31122]: smtp: Failed: Connect failed
> Feb 6 09:57:26 mal-zeth nullmailer[13750]: Sending failed: Host not found
> Feb 6 09:57:26 mal-zeth nullmailer[13750]: Delivery complete, 5 message(s)
> remain.
>
> I have no idea what it's trying to send out and the same sequence repeats
> itself every two minutes or so. I'm freaking out here... has my system been
> compromised?

First of all it fails to send whatever, so, at least less risk.
Second, do: last
It will list all login activities, see if you see suspicious.
Third, do:
sudo updatedb
locate one of the file: locate 1232786107.30076
Try what file it is and the content.
Last, if you don't need nullmailer, uninstall it.

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 02-06-2009, 09:56 AM
"Dake K. Odzangba"
 
Default Suspicious System Activity

On Friday 06 February 2009 10:23:42 Fajar Priyanto wrote:

> On Fri, Feb 6, 2009 at 6:06 PM, Dake K. Odzangba <odzangba@gmail.com> wrote:

> > Hello, my system logs contain some pretty suspicious entries:

> > Feb 6 09:57:20 mal-zeth nullmailer[13750]: Starting delivery: protocol:

> > smtp host: mail. file: 1232786107.30076

> > Feb 6 09:57:26 mal-zeth nullmailer[31122]: smtp: Failed: Connect failed

> > Feb 6 09:57:26 mal-zeth nullmailer[13750]: Sending failed: Host not found

> > Feb 6 09:57:26 mal-zeth nullmailer[13750]: Delivery complete, 5

> > message(s) remain.

> >

> > I have no idea what it's trying to send out and the same sequence repeats

> > itself every two minutes or so. I'm freaking out here... has my system

> > been compromised?

>

> First of all it fails to send whatever, so, at least less risk.

> Second, do: last

> It will list all login activities, see if you see suspicious.

> Third, do:

> sudo updatedb

> locate one of the file: locate 1232786107.30076

> Try what file it is and the content.

> Last, if you don't need nullmailer, uninstall it.



Thanks Fajar. Apparently the file is being mailed by the anacron daemon.



> Received: (nullmailer pid 30076 invoked by uid 0);

> Sat, 24 Jan 2009 08:35:07 -0000

> From: Anacron <root@mal-zeth.mal-zeth>

> To: root@mal-zeth.mal-zeth

> Subject: Anacron job 'cron.daily' on mal-zeth

> Date: Sat, 24 Jan 2009 08:35:07 +0000

> Message-Id: <1232786107.261939.30075.nullmailer@mal-zeth>

>

> run-parts: /etc/cron.daily/apt exited with return code 1



I think the problem is it got the email address wrong... don't remember ever configuring any such thing. In fact, I don't even remember installing nullmailer. I think I'll just uninstall it.



--

Odzangba,

Blog: http://odzangba.wordpress.com

Registered Linux User #431909

Registered Linux Machines: #337242 #363374 #392526
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 02-06-2009, 10:36 AM
Aart Koelewijn
 
Default Suspicious System Activity

On Fri, 06 Feb 2009 10:56:13 +0000, Dake K. Odzangba wrote:

> On Friday 06 February 2009 10:23:42 Fajar Priyanto wrote:
>> On Fri, Feb 6, 2009 at 6:06 PM, Dake K. Odzangba <odzangba@gmail.com>
>> wrote:
>> > Hello, my system logs contain some pretty suspicious entries: Feb 6
>> > 09:57:20 mal-zeth nullmailer[13750]: Starting delivery: protocol:
>> > smtp host: mail. file: 1232786107.30076 Feb 6 09:57:26 mal-zeth
>> > nullmailer[31122]: smtp: Failed: Connect failed Feb 6 09:57:26
>> > mal-zeth nullmailer[13750]: Sending failed: Host not found Feb 6
>> > 09:57:26 mal-zeth nullmailer[13750]: Delivery complete, 5 message(s)
>> > remain.
>> >
>> > I have no idea what it's trying to send out and the same sequence
>> > repeats itself every two minutes or so. I'm freaking out here... has
>> > my system been compromised?
>>
>> First of all it fails to send whatever, so, at least less risk. Second,
>> do: last
>> It will list all login activities, see if you see suspicious. Third,
>> do:
>> sudo updatedb
>> locate one of the file: locate 1232786107.30076 Try what file it is and
>> the content.
>> Last, if you don't need nullmailer, uninstall it.
>
> Thanks Fajar. Apparently the file is being mailed by the anacron daemon.
>
>> Received: (nullmailer pid 30076 invoked by uid 0);
>> Sat, 24 Jan 2009 08:35:07 -0000
>> From: Anacron <root@mal-zeth.mal-zeth> To: root@mal-zeth.mal-zeth
>> Subject: Anacron job 'cron.daily' on mal-zeth Date: Sat, 24 Jan 2009
>> 08:35:07 +0000 Message-Id:
>> <1232786107.261939.30075.nullmailer@mal-zeth>
>>
>> run-parts: /etc/cron.daily/apt exited with return code 1
>
> I think the problem is it got the email address wrong... don't remember
> ever configuring any such thing. In fact, I don't even remember
> installing nullmailer. I think I'll just uninstall it.

I don't think you should uninstall nullmailer. If you try it will
probably take essential packages like anacron with it. Some packages need
a mail-transfer-agent to be able to inform you when something does not
work like it should, nullmailer is the simplest mta there is and I
suppose a minimal requirement when no other mta is installed.

You should find out why anacron is using a wrong email address. As far as
I can remember it will usually use something like root@localhost. The
address where it will send its mail can be found in /etc/crontab. On my
box that is a simple "root". If anything more is in there you should take
it out. Then in /etc/aliases you can set to whom mail for root should be
delivered. It should have "root: [your user name]" in there.

If after checking this, things still don't work, we can look further.

Aart


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 02-06-2009, 11:37 AM
"Dake K. Odzangba"
 
Default Suspicious System Activity

On Friday 06 February 2009 11:36:20 Aart Koelewijn wrote:

> On Fri, 06 Feb 2009 10:56:13 +0000, Dake K. Odzangba wrote:

> > On Friday 06 February 2009 10:23:42 Fajar Priyanto wrote:

> >> On Fri, Feb 6, 2009 at 6:06 PM, Dake K. Odzangba <odzangba@gmail.com>

> >>

> >> wrote:

> >> > Hello, my system logs contain some pretty suspicious entries: Feb 6

> >> > 09:57:20 mal-zeth nullmailer[13750]: Starting delivery: protocol:

> >> > smtp host: mail. file: 1232786107.30076 Feb 6 09:57:26 mal-zeth

> >> > nullmailer[31122]: smtp: Failed: Connect failed Feb 6 09:57:26

> >> > mal-zeth nullmailer[13750]: Sending failed: Host not found Feb 6

> >> > 09:57:26 mal-zeth nullmailer[13750]: Delivery complete, 5 message(s)

> >> > remain.

> >> >

> >> > I have no idea what it's trying to send out and the same sequence

> >> > repeats itself every two minutes or so. I'm freaking out here... has

> >> > my system been compromised?

> >>

> >> First of all it fails to send whatever, so, at least less risk. Second,

> >> do: last

> >> It will list all login activities, see if you see suspicious. Third,

> >> do:

> >> sudo updatedb

> >> locate one of the file: locate 1232786107.30076 Try what file it is and

> >> the content.

> >> Last, if you don't need nullmailer, uninstall it.

> >

> > Thanks Fajar. Apparently the file is being mailed by the anacron daemon.

> >

> >> Received: (nullmailer pid 30076 invoked by uid 0);

> >> Sat, 24 Jan 2009 08:35:07 -0000

> >> From: Anacron <root@mal-zeth.mal-zeth> To: root@mal-zeth.mal-zeth

> >> Subject: Anacron job 'cron.daily' on mal-zeth Date: Sat, 24 Jan 2009

> >> 08:35:07 +0000 Message-Id:

> >> <1232786107.261939.30075.nullmailer@mal-zeth>

> >>

> >> run-parts: /etc/cron.daily/apt exited with return code 1

> >

> > I think the problem is it got the email address wrong... don't remember

> > ever configuring any such thing. In fact, I don't even remember

> > installing nullmailer. I think I'll just uninstall it.

>

> I don't think you should uninstall nullmailer. If you try it will

> probably take essential packages like anacron with it. Some packages need

> a mail-transfer-agent to be able to inform you when something does not

> work like it should, nullmailer is the simplest mta there is and I

> suppose a minimal requirement when no other mta is installed.

>

> You should find out why anacron is using a wrong email address. As far as

> I can remember it will usually use something like root@localhost. The

> address where it will send its mail can be found in /etc/crontab. On my

> box that is a simple "root". If anything more is in there you should take

> it out. Then in /etc/aliases you can set to whom mail for root should be

> delivered. It should have "root: [your user name]" in there.

>

> If after checking this, things still don't work, we can look further.

>



> Aart

Hmm,,, I've already uninstalled nullmailer. It took mailx down with it and when I reinstalled mailx, exim4 tagged along. But FWIW:



less /etc/crontab

> SHELL=/bin/sh

> PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

>

> # m h dom mon dow user command

> 17 * * * * root cd / && run-parts --report /etc/cron.hourly

> 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts

> --report /etc/cron.daily ) 47 6 * * 7 root test -x

> /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6

> 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report

> /etc/cron.monthly ) #



less /etc/anacrontab

> SHELL=/bin/sh

> PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

>

> # These replace cron's entries

> 1 5 cron.daily nice run-parts --report /etc/cron.daily

> 7 10 cron.weekly nice run-parts --report /etc/cron.weekly

> @monthly 15 cron.monthly nice run-parts --report

> /etc/cron.monthly



less /etc/aliases

> # Added by installer for initial user

> root: oj

> clamav: root



Everything seems to be in order.



--

Odzangba,

Blog: http://odzangba.wordpress.com

Registered Linux User #431909

Registered Linux Machines: #337242 #363374 #392526
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 05:25 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org