just in case someone else stumbles across this thread.. I've had the same mysterious entry in my auth.log and I as far as I can tell it is NOT something evil
when I saw that entry I checked when and how often it occures and I found that appeared exactly every 24h...
looked like a cron job to me... so I checked /etc/cron.daily and found a script named
which containes:
Code:
#!/bin/sh
#
# Daily maintenance for amavisd-new
# $Id: amavisd-new.cron.daily 930 2006-08-10 13:38:45Z hmh $
#
test -e /usr/sbin/amavisd-new-cronjob && exec /usr/sbin/amavisd-new-cronjob sa-clean
exit 0
looks like a normal maintance script to me... but to be sure I checked the content of
Code:
/usr/sbin/amavisd-new-cronjob
take a look:
Code:
#!/bin/sh
# amavisd-new cronjob helper
#
# Run it as root or as the amavis user
#
# First parameter specifies which cronjob routine to run:
# sa-sync: spamassassin fast sync
# sa-clean: spamassassin cleanup
test -e /usr/bin/sa-learn || exit 0
test -e /usr/sbin/amavisd-new || exit 0
SUUSER="amavis"
set -e
umask 022
# WATCH OUT FOR PROPER QUOTING LEVEL WHEN CALLING THIS!
do_amavis_cmd() {
if [ "$(id -u -n)" != "${SUUSER}" ]; then
exec /bin/su -s /bin/sh - "${SUUSER}" -c "$*" >/dev/null
else
# to get the same quoting level as the su path
CMD="$*"
exec ${CMD} >/dev/null
fi
}
case $1 in
sa-sync)
do_amavis_cmd "/usr/bin/sa-learn --sync"
;;
sa-clean)
do_amavis_cmd "/usr/bin/sa-learn --sync --force-expire"
;;
*)
echo "$0: unknown cron routine $1" >&2
exit 1
;;
esac
exit 0
basically what it does is su-ing to the amavis user and calling a spamassasin cleanup method... so really .. nothing too evil
Bookmarks