-1

i am getting these emails from root

i have been getting emails from root with suspicious file alert with this messages

File:   /tmp/installd/perl588installer/CPAN-SQLite-0.196/t/01basic.t
Reason: Script, starts with #!
Owner:  :
Action: No action taken



File:   /tmp/installd/perl588installer/cleanversion

File:   /tmp/installd/perl588installer/install.tdy

T

ime: Wed Nov 18 19:23:45 2009 +1030
PID: 1600
Account: nobody
Uptime: 1805 seconds


Executable:

/usr/local/bin/perl


Command Line (often faked in exploits):

spamd child


Network connections by the process (if any):

tcp: 127.0.0.1:783 -> 0.0.0.0:0
tcp: 127.0.0.1:783 -> 127.0.0.1:36704


Files open by the process (if any):

/dev/null
/dev/null
/dev/null
/usr/local/bin/spamd
/usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/VBounce.pm

Is this normal?? or there is something wrong


Edit:

This is the output of lsof|grep '/tmp

root@cpanel [~]# root@cpanel [~]# lsof|grep '/tmp/installd'
root@cpanel [~]# root@cpanel [~]# lsof|grep '/tmp'

cpdavd     3310     root    0r   REG              0,216    16658  106111164 (deleted) /tmp/sh-thd-1258730813
httpd      4020   nobody   33u   REG              0,216        0  106111145 (deleted) /tmp/ZCUD8EQE1B
httpd      7753   nobody   33u   REG              0,216        0  106111145 (deleted) /tmp/ZCUD8EQE1B
httpd      7970   nobody   33u   REG              0,216        0  106111145 (deleted) /tmp/ZCUD8EQE1B
httpd     11989   nobody   33u   REG              0,216        0  106111145 (deleted) /tmp/ZCUD8EQE1B
httpd     21987   nobody   33u   REG              0,216        0  106111145 (deleted) /tmp/ZCUD8EQE1B
httpd     21988   nobody   33u   REG              0,216        0  106111145 (deleted) /tmp/ZCUD8EQE1B
httpd     24054   nobody   33u   REG              0,216        0  106111145 (deleted) /tmp/ZCUD8EQE1B
httpd     24315     root   33u   REG              0,216        0  106111145 (deleted) /tmp/ZCUD8EQE1B
httpd     26560   nobody   33u   REG              0,216        0  106111145 (deleted) /tmp/ZCUD8EQE1B
httpd     26562   nobody   33u   REG              0,216        0  106111145 (deleted) /tmp/ZCUD8EQE1B
httpd     30318   nobody   33u   REG              0,216        0  106111145 (deleted) /tmp/ZCUD8EQE1B

2 Answers2

1

Are you sure these come from root? If yes - does root have a .forward file in /root with your email address in that file? Also please grep -R 'your@email.here' /etc (do that as superuser if you can) to find out if you are the configured recipient for any software.

Normally this kind of emails is sent by software like rkhunter. Less similar to your output (but similar in use) is samhain. Further on I'll use 'rkhunter', but you may have a different software.

If you are root at that machine - check cron entries for any commands you do not know. Most likely someone installed rkhunter, and somehow configured your address to be the recipient of scan results.

If you are not root - forward a few of these emails to root or system administrator's email.

Regarding the message itself - those could be genuine threat detections, but most likely rkhunter is missing a few exclusions. Also, it could be safe to clean the /tmp directory, to get rid of the first few warnings - there should be nothing valuable in there.

chronos
  • 578
  • 5
  • 13
  • I have got the VPS so i am the root user. I think i have insatlled CSF firewall an dit that which is sending the mails. Is it ok that if run cron job at the 4AM in morning to empty the/tmp directory daily –  Nov 20 '09 at 21:16
  • 1
    Purging /tmp as a cron job is not a good idea. Run `lsof| grep '/tmp'` to see how many files in /tmp are used by running programs. If you are not in the process of installing anything, then removing /tmp/installd/perl588installer/ (or /tmp/installd/) should be safe. First check if none of the files from /tmp/installd are used by running programs with `lsof|grep '/tmp/installd'` You need to examine each incoming email report, and take 1 of 2 actions: a) configure CSF to ignore/whitelist reported valid program, or b) remove the undesired reported component. Be perfectly sure what you do. – chronos Nov 20 '09 at 23:27
  • I have edited my post and that was the output –  Nov 21 '09 at 12:19
  • you may want to restart httpd and cpdavd (is that CPanel daemon?), as they refer to deleted files in /tmp. Other than that, "You need to examine each incoming email report ..." from my previous comment, if you keep getting those emails. – chronos Nov 21 '09 at 13:13
0

Any time files are replaced, CSF will think that it is suspicious. Files are normally updated daily on cPanel VPSs.