welo

Well-Known Member
Nov 11, 2002
71
0
156
For awhile now the Cron Daemon emails have been containing a line saying:

passwd: Unknown user name 'xfs'
Does anyone know what this is? The whole recent episode with that trojan has me a little jumpy. I cannot find 'xfs' anywhere either, so I'm not even sure what's generating this. Any perspective is welcome.
 

welo

Well-Known Member
Nov 11, 2002
71
0
156
I think I found out why this is happening. Exploring my /tmp dir thoroughly just now I ran across an eggdrop someone put in there in an /.xfsd dir containing all kinds of pid files. I cleaned it all out. Let's see if the messages stop.
 

welo

Well-Known Member
Nov 11, 2002
71
0
156
Here's something interesting. Although I believe I tracked down everything questionable and removed it, Cron Daemon has continued to send me these messages.

The box this was happening to was RH 7.3, and this past week I moved to an entirely new server running FC1. Nothing was moved except for stuff in the /home/ dir, and guess what? I'm still receiving these messages!

I'm hoping someone here knows exactly what file(s) cpanel is reading to derive this "Unknown user name" information. I sure can't find it and I'm slightly paranoid. This server move was announced to no one in advance, and nobody on the box was given the IP and nameservers to the new one until after everything was imported.

Does someone happen to know of a scanning script I could run to find out where this is coming from?