Re: Strange goings on in sendmail logs

From: Adam Bowns (adam-bowns_at_ntlworld.com)
Date: 08/22/03

  • Next message: Jason Williams: "Re: Problems trying to get SMTP AUTH to work...help please" 
    To: redhat-list@redhat.com
Date: 22 Aug 2003 19:29:21 +0100

    On Fri, 2003-08-22 at 18:50, Gerry Doris wrote:
    > > Hello all,
    > >
    > > Looking through my mail log I noticed some strange flagged entries.
    > > These were.
    > >
    > >
    > > sendmail[6056]: h7MB8Ucu006055: forward /root/.forward.Unimatrix0:
    > > Permission denied
    > >
    > > sendmail[6056]: h7MB8Ucu006055: forward /root/.forward: Permission
    > > denied
    > >
    > > from what I have read about on the subject I understand that a .forward
    > > file is used to forward mail to another host, what is puzzling me is
    > > that I have never created a root/.forward file, nor have I requested for
    > > any mail to be forwarded by any other means.
    > >
    > > I was wondering if anyone out there knew the sort of thing that could
    > > cause this, as I don't know if its a malicious attempt to forward my
    > > mail or if i have simply mis-configured something.
    > >
    > >
    > > Thanks in advance,
    > > Adam Bowns
    >
    > Are you really sure you haven't created a .forward file in /root? Perhaps
    > you used a vacation program at some point?
    >
    > The first thing I'd do is disconnect your box from the internet. Next
    > open the .forward file and see what's in it. Hopefully, that will jog
    > your memory. If it still doesn't look like something you've done then you
    > have to assume your system has been broken into.
    >
    > You might want to run chkrootkit on your system. It will do a pretty
    > thorough job of checking for rootkits that may have been installed.
    > However, once someone has gotten in the only proper alternative is to
    > reload you box.
    >
    > What version of OS are you running? Have you been keeping up with all the
    > security patches?
    >
    >
    > Gerry
    >
    >

    I have checked again but the .forward file doesn't exist in my /root/
    directory. This error is confusing me because I would expect it to give
    a No such file or directory error instead of a permission denied.

    The only thing that I have thought of was that it could be apache trying
    to send email as root, and its getting a permission denied on the /root/
    directory, not the .forward file itself... but thats just a stab in the
    dark.

    As for the system, its on redhat 9, and fully up to date with all
    security patches.

    Thanks for the reply,
    Adam Bowns 

    -- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
  • Next message: Jason Williams: "Re: Problems trying to get SMTP AUTH to work...help please"