/var/spool/samba/.mc/timecheck??

nurseryboy · May 13, 2005

I'm getting an email sent to the "nobody" account every 10 mins (started about 12 hours ago). Could someone please explain to me what it means?

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

nobody@name.server.com

------ This is a copy of the message, including all the headers. ------

Return-path: <nobody@name.server.com>
Received: from nobody by name.server.com with local (Exim 4.44)
id 1DWctM-0005tR-SF
for nobody@name.server.com; Fri, 13 May 2005 12:20:01 -0400
From: root@name.server.com (Cron Daemon)
To: nobody@name.server.com
Subject: Cron <nobody@name> /var/spool/samba/.mc/timecheck
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=nobody>
Message-Id: <E1DWctM-0005tR-SF@name.server.com>
Date: Fri, 13 May 2005 12:20:00 -0400

/bin/sh: line 1: /var/spool/samba/.mc/timecheck: No such file or directory
Click to expand...

Now, obviously I don't have the "nobody" emails going anywhere, and /var/spool/samba/.mc/timecheck cannot be found.

What I would like to know, though, is what is this "timecheck" is used for.. and what would be calling it?

Thanks a bunch,

Matt

nurseryboy · May 13, 2005

Ok.. after from grepping around, I found that it was in a cron file for the user "nobody" (in /var/spool/cron/nobody). Any reason why this would be needed? What is it for?

Thanks,

Matt

chirpy · May 14, 2005

That looks like a server exploit. You shouldn't have hidden directories in the samba log directory, neither should you have a nobody crontab if you didn't set it up. Sounds like you've had someone exploit a vulnerable php script and install some software which could be doing anything from sending our spam to being part of a DDOS attack somewhere. You need to clean up the server and lock it down, or get someone to do it for you.

Kerstin · May 14, 2005

I think so, the massage have nothig to to with
eMail and Chrontab.

More you send a email over SAMBA and the receiver
dosen`t exist.

Time out message of the chron deamon .

nurseryboy · May 14, 2005

Ok. I commented out the cronjob entry and the emails have stopped. So that was definitely what the source of the emails was. I just removed the nobody cron, and set it up again with chattr -i. Don't know if that will stop anything from modifying it or not.

I'll start having someone clean up the server too..

Kerstin · May 15, 2005

The comment are not importand when you send a eMail
over SAMBA (Mail-Function) ,user directorys not exist and
hidden directorys not viewable.

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

/var/spool/samba/.mc/timecheck??

nurseryboy Well-Known Member

nurseryboy Well-Known Member

chirpy Well-Known Member

Kerstin Well-Known Member

nurseryboy Well-Known Member

Kerstin Well-Known Member

Safe to edit /var/spool/cron/root ?

/var/spool/cron query

Safe to remove /var/spool/exim/input, msglog?

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

/var/spool/samba/.mc/timecheck??

nurseryboy Well-Known Member

nurseryboy Well-Known Member

chirpy Well-Known Member

Kerstin Well-Known Member

nurseryboy Well-Known Member

Kerstin Well-Known Member

Safe to edit /var/spool/cron/root ?

/var/spool/cron query

Safe to remove /var/spool/exim/input, msglog?

Share This Page