rootmail: Cannot open /var/log/sa/sa26: No such file or directory

NNNils

Well-Known Member
Sep 17, 2002
580
0
166
What does this error mean, I get it about every 15 minutes:

Cannot open /var/log/sa/sa26: No such file or directory


Cannot open /var/log/sa/sa28: No such file or directory

The number behind sa varies, but all files are there.

cPanel.net Support Ticket Number:
 

ciphervendor

Well-Known Member
Aug 26, 2002
1,050
0
166
Perhaps spam assassin is attempting to write a log file? If so, make sure a directory exists with correct ownership/permissions to see what gets written there.

cPanel.net Support Ticket Number:
 

NNNils

Well-Known Member
Sep 17, 2002
580
0
166
The sa dir was gone, after recreation error dissappeared.

cPanel.net Support Ticket Number:
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,133
1
168
New York
Check to see if your other logs or directories are gone too. If so then you might want to check to see if you have been hacked.

Its rare that a directory will blow away unless it was done by a disk check/cleanup like fsck. Often when a hacker gets into a system they will go and blow out /var/log to hide what they did.

:eek:

cPanel.net Support Ticket Number:
 

NNNils

Well-Known Member
Sep 17, 2002
580
0
166
Compared to another server also are missing:

cups
httpd
samba
squid
vbox

cPanel.net Support Ticket Number:
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,133
1
168
New York
What about the normal log files themselves, like maillog, messages, etc ?.

I run freebsd so I dont know if you would have the same naming conventions, but I would think there would be several dozen files in the main /var/log

Also look in your /tmp for anything unusual. You should also check /root for anything updated in the past 24 hours
and if you have console access run a "last" to see who was on recently.
 

NNNils

Well-Known Member
Sep 17, 2002
580
0
166
Yes all the usual files like messages, maillog, security etc are there.

cPanel.net Support Ticket Number:
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,133
1
168
New York
I would still be a bit concerned. See if any new users were added to the main passwd file in /etc, do a ps ax to see if anything weird is running.

If you are running process accounting, run a :

sa -a | more

see if anything weird is listed. If you are not familiar with alot of the programs on your system they will all look weird, but chances are if a hacker ran alot of crap or left something running you might see it in "sa".

cPanel.net Support Ticket Number: