Someone on my server?

**Ms. Daisy** · March 23rd, 2012

Better safe than sorry. Plus with a reinstall you got rid of any other left-overs from the email server days.

**ubudog** · March 23rd, 2012

Originally Posted by Ms. Daisy

Better safe than sorry. Plus with a reinstall you got rid of any other left-overs from the email server days.

Yep, and I blocked all ports except 22 and 80 (the only ones I really need), so I think we're good now.

**CharlesA** · March 23rd, 2012

Originally Posted by ubudog

Yep, and I blocked all ports except 22 and 80 (the only ones I really need), so I think we're good now.

Indeed.

**bubylou** · March 23rd, 2012

Make sure to take all the necessary security measures to secure the services listening of those ports. Especially 22 ssh. Key authentication, limit access, etc.

**goebeler** · October 18th, 2012

just in case someone else stumbles across this thread.. I've had the same mysterious entry in my auth.log and I as far as I can tell it is NOT something evil

when I saw that entry I checked when and how often it occures and I found that appeared exactly every 24h...

looked like a cron job to me... so I checked /etc/cron.daily and found a script named

Code:

amavisd-new

which containes:

Code:

#!/bin/sh
#
#  Daily maintenance for amavisd-new
#  $Id: amavisd-new.cron.daily 930 2006-08-10 13:38:45Z hmh $
# 
test -e /usr/sbin/amavisd-new-cronjob && exec /usr/sbin/amavisd-new-cronjob sa-clean
exit 0

looks like a normal maintance script to me... but to be sure I checked the content of

Code:

 /usr/sbin/amavisd-new-cronjob

take a look:

Code:

#!/bin/sh

# amavisd-new cronjob helper
#
# Run it as root or as the amavis user
#
# First parameter specifies which cronjob routine to run:
#         sa-sync:    spamassassin fast sync
#         sa-clean:    spamassassin cleanup

test -e /usr/bin/sa-learn || exit 0
test -e /usr/sbin/amavisd-new || exit 0

SUUSER="amavis"

set -e
umask 022

# WATCH OUT FOR PROPER QUOTING LEVEL WHEN CALLING THIS!
do_amavis_cmd() {
    if [ "$(id -u -n)" != "${SUUSER}" ]; then
        exec /bin/su -s /bin/sh - "${SUUSER}" -c "$*" >/dev/null
    else
        # to get the same quoting level as the su path
        CMD="$*"
        exec ${CMD} >/dev/null 
    fi
}

case $1 in
    sa-sync)
        do_amavis_cmd "/usr/bin/sa-learn --sync"
        ;;
    sa-clean)
        do_amavis_cmd "/usr/bin/sa-learn --sync --force-expire"
        ;;
    *)
        echo "$0: unknown cron routine $1" >&2
        exit 1
        ;;
esac

exit 0

basically what it does is su-ing to the amavis user and calling a spamassasin cleanup method... so really .. nothing too evil

**thomasw81** · November 26th, 2012

@goebeler:

Since a few days I also noticed the same in one of my email server logs:

Successful su for amavis by root
+ ??? root:amavis 2012

It is called by a cron job and seems to be related to a cleanup, as you stated.

The strange thing is that I have been running amavis for about a year on this machine, and suddenly since last week I get this message in the auth.log every day at the same time.

I posted on the amavis mailing list, but my message is still under moderation.. I didn't notice any updates for amavisd-new, so I am not quite reassured as to why it is running daily.. I do have a script in cron.daily though.