The sole purpose of spam...
Mar. 10th, 2002 10:12 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
alexpgp...is to let me know that my mail is working. Since nothing has arrived in any mailbox since yesterday afternoon, I started getting suspicious.
I looked at my 'maillog' file, and it is apparent that something happened between 14:33 and 14:37 yesterday, because at 14:36:53 (according to 'maillog'), 'postfix' starts misbehaving.
The log shows that postfix/pickup throws a fatal error, saying (I think) that the 'maildrop' directory is open, and exits. Over the next several seconds, 'postfix-script' warns that the 'active', 'bounce', 'corrupt', 'defer', 'deferred', 'incoming', 'private', 'public' and 'saved' scripts are not owned by 'postscript' (checking the eSlate shows that all these directories are owned by owner 'postfix' and group 'root' in the fresh-out-of-the-box config, and that the last character in the permissions string for 'maildrop' is 't', the so-called sticky-bit, and not 'T', which I am unfamiliar with [I thought the range was 'rwxXstugo'; maybe this is peculiar to RedHat?]).
There is also a log entry to the effect that '/var/spool/postfix/etc/passwd' and '/etc/passwd' differ from one another. This worries me, until I look and see only that some user accounts that were added after installing 'postfix' are not reflected in the copy of 'passwd' in the /var tree.
I begin to suspect that I have yet again been rooted, but that's a gut response, as what happened could, conceivably, have been caused by a failure to open or close a file properly. For someone to walk in and their cover tracks in the system logs but to leave all of 'postfix' lying out in the rain doesn't make much sense.
Cheers...
I looked at my 'maillog' file, and it is apparent that something happened between 14:33 and 14:37 yesterday, because at 14:36:53 (according to 'maillog'), 'postfix' starts misbehaving.
The log shows that postfix/pickup throws a fatal error, saying (I think) that the 'maildrop' directory is open, and exits. Over the next several seconds, 'postfix-script' warns that the 'active', 'bounce', 'corrupt', 'defer', 'deferred', 'incoming', 'private', 'public' and 'saved' scripts are not owned by 'postscript' (checking the eSlate shows that all these directories are owned by owner 'postfix' and group 'root' in the fresh-out-of-the-box config, and that the last character in the permissions string for 'maildrop' is 't', the so-called sticky-bit, and not 'T', which I am unfamiliar with [I thought the range was 'rwxXstugo'; maybe this is peculiar to RedHat?]).
There is also a log entry to the effect that '/var/spool/postfix/etc/passwd' and '/etc/passwd' differ from one another. This worries me, until I look and see only that some user accounts that were added after installing 'postfix' are not reflected in the copy of 'passwd' in the /var tree.
I begin to suspect that I have yet again been rooted, but that's a gut response, as what happened could, conceivably, have been caused by a failure to open or close a file properly. For someone to walk in and their cover tracks in the system logs but to leave all of 'postfix' lying out in the rain doesn't make much sense.
Cheers...
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2002-03-10 09:51 pm (UTC)no subject
Date: 2002-03-10 09:54 pm (UTC)In the interim, I found that attempts to fetchmail have been timing out with a vengeance, starting at 15:37, and that mail sent since yesterday at 15:37 has not been sent.
I am leaning further away from an intruder as the cause of this problem.
Cheers...