On Fri, 2003-08-22 at 18:50, Gerry Doris wrote: > > Hello all, > > > > Looking through my mail log I noticed some strange flagged entries. > > These were. > > > > > > sendmail[6056]: h7MB8Ucu006055: forward /root/.forward.Unimatrix0: > > Permission denied > > > > sendmail[6056]: h7MB8Ucu006055: forward /root/.forward: Permission > > denied > > > > from what I have read about on the subject I understand that a .forward > > file is used to forward mail to another host, what is puzzling me is > > that I have never created a root/.forward file, nor have I requested for > > any mail to be forwarded by any other means. > > > > I was wondering if anyone out there knew the sort of thing that could > > cause this, as I don't know if its a malicious attempt to forward my > > mail or if i have simply mis-configured something. > > > > > > Thanks in advance, > > Adam Bowns > > Are you really sure you haven't created a .forward file in /root? Perhaps > you used a vacation program at some point? > > The first thing I'd do is disconnect your box from the internet. Next > open the .forward file and see what's in it. Hopefully, that will jog > your memory. If it still doesn't look like something you've done then you > have to assume your system has been broken into. > > You might want to run chkrootkit on your system. It will do a pretty > thorough job of checking for rootkits that may have been installed. > However, once someone has gotten in the only proper alternative is to > reload you box. > > What version of OS are you running? Have you been keeping up with all the > security patches? > > > Gerry > >
I have checked again but the .forward file doesn't exist in my /root/ directory. This error is confusing me because I would expect it to give a No such file or directory error instead of a permission denied. The only thing that I have thought of was that it could be apache trying to send email as root, and its getting a permission denied on the /root/ directory, not the .forward file itself... but thats just a stab in the dark. As for the system, its on redhat 9, and fully up to date with all security patches. Thanks for the reply, Adam Bowns -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
