/var/spool/samba/.mc/timecheck??

nurseryboy

Well-Known Member
Mar 3, 2003
78
0
156
I'm getting an email sent to the "nobody" account every 10 mins (started about 12 hours ago). Could someone please explain to me what it means?

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]


------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from nobody by name.server.com with local (Exim 4.44)
id 1DWctM-0005tR-SF
for [email protected]; Fri, 13 May 2005 12:20:01 -0400
From: [email protected] (Cron Daemon)
To: [email protected]
Subject: Cron <[email protected]> /var/spool/samba/.mc/timecheck
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=nobody>
Message-Id: <[email protected]>
Date: Fri, 13 May 2005 12:20:00 -0400

/bin/sh: line 1: /var/spool/samba/.mc/timecheck: No such file or directory
Now, obviously I don't have the "nobody" emails going anywhere, and /var/spool/samba/.mc/timecheck cannot be found.

What I would like to know, though, is what is this "timecheck" is used for.. and what would be calling it?

Thanks a bunch,

Matt
 

nurseryboy

Well-Known Member
Mar 3, 2003
78
0
156
Ok.. after from grepping around, I found that it was in a cron file for the user "nobody" (in /var/spool/cron/nobody). Any reason why this would be needed? What is it for?

Thanks,

Matt
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,466
30
473
Go on, have a guess
That looks like a server exploit. You shouldn't have hidden directories in the samba log directory, neither should you have a nobody crontab if you didn't set it up. Sounds like you've had someone exploit a vulnerable php script and install some software which could be doing anything from sending our spam to being part of a DDOS attack somewhere. You need to clean up the server and lock it down, or get someone to do it for you.
 

Kerstin

Well-Known Member
Apr 9, 2005
136
0
166
Berlin
I think so, the massage have nothig to to with
eMail and Chrontab.

More you send a email over SAMBA and the receiver
dosen`t exist.

Time out message of the chron deamon :rolleyes: .
 

nurseryboy

Well-Known Member
Mar 3, 2003
78
0
156
Ok. I commented out the cronjob entry and the emails have stopped. So that was definitely what the source of the emails was. I just removed the nobody cron, and set it up again with chattr -i. Don't know if that will stop anything from modifying it or not.

I'll start having someone clean up the server too..
 

Kerstin

Well-Known Member
Apr 9, 2005
136
0
166
Berlin
The comment are not importand ;) when you send a eMail
over SAMBA (Mail-Function) ,user directorys not exist and
hidden directorys not viewable.