/var/spool/samba/.mc/timecheck??

nurseryboy · May 13, 2005

I'm getting an email sent to the "nobody" account every 10 mins (started about 12 hours ago). Could someone please explain to me what it means?

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]

------ This is a copy of the message, including all the headers. ------

Return-path: <[email protected]>
Received: from nobody by name.server.com with local (Exim 4.44)
id 1DWctM-0005tR-SF
for [email protected]; Fri, 13 May 2005 12:20:01 -0400
From: [email protected] (Cron Daemon)
To: [email protected]
Subject: Cron <[email protected]> /var/spool/samba/.mc/timecheck
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=nobody>
Message-Id: <[email protected]>
Date: Fri, 13 May 2005 12:20:00 -0400

/bin/sh: line 1: /var/spool/samba/.mc/timecheck: No such file or directory

Now, obviously I don't have the "nobody" emails going anywhere, and /var/spool/samba/.mc/timecheck cannot be found.

What I would like to know, though, is what is this "timecheck" is used for.. and what would be calling it?

Thanks a bunch,

Matt

nurseryboy · May 13, 2005

Ok.. after from grepping around, I found that it was in a cron file for the user "nobody" (in /var/spool/cron/nobody). Any reason why this would be needed? What is it for?

Thanks,

Matt

chirpy · May 14, 2005

That looks like a server exploit. You shouldn't have hidden directories in the samba log directory, neither should you have a nobody crontab if you didn't set it up. Sounds like you've had someone exploit a vulnerable php script and install some software which could be doing anything from sending our spam to being part of a DDOS attack somewhere. You need to clean up the server and lock it down, or get someone to do it for you.

Kerstin · May 14, 2005

I think so, the massage have nothig to to with
eMail and Chrontab.

More you send a email over SAMBA and the receiver
dosen`t exist.

Time out message of the chron deamon

.

nurseryboy · May 14, 2005

Ok. I commented out the cronjob entry and the emails have stopped. So that was definitely what the source of the emails was. I just removed the nobody cron, and set it up again with chattr -i. Don't know if that will stop anything from modifying it or not.

I'll start having someone clean up the server too..

Kerstin · May 15, 2005

The comment are not importand

when you send a eMail
over SAMBA (Mail-Function) ,user directorys not exist and
hidden directorys not viewable.

Thread starter	Similar threads	Forum	Replies	Date
E	Safe to edit /var/spool/cron/root ?	General Discussion	2	Oct 9, 2017
	Can I delete /var/spool/exim/db/retry	General Discussion	1	Jun 12, 2014
A	User cronjobs not saving in /var/spool/cron	General Discussion	2	Jan 18, 2007
R	/var/spool/exim_incoming/input --923MB is this normal	General Discussion	2	Nov 20, 2006
N	Strange Files in /var/spool/	General Discussion	1	Jun 29, 2006

Search

Search

/var/spool/samba/.mc/timecheck??

nurseryboy

Well-Known Member

nurseryboy

Well-Known Member

chirpy

Well-Known Member

Kerstin

Well-Known Member

nurseryboy

Well-Known Member

Kerstin

Well-Known Member