Still getting mail wierdness

Geoffrey D. Bennett g at netcraft.com.au
Fri Jul 26 14:08:30 CST 2002


On Tue, Jul 23, 2002 at 11:39:14AM +1000, Michael Campbell wrote:
[...]
> g6J4wrY01995: Authentication-Warning: dave.2001: mick owned process doing 
> -bs
[...]
> now I know any process I do is basically BS but for a computer to know it 
> and come forth and report it to root .... scary.  but check out the 
> e-mails !!!  391 !

"-bs" (not "BS") is a sendmail switch presumably used by your mail
client when it sends an email.

> So does this mean someone is using my laptop to forward spam when I dial 
> up?  Am I sending spam (besides this of course) unknowingly?

Better to take a look at the actual logs (/var/log/maillog*) rather
than just worrying about the big number of messages.  Maybe you have a
cron job that is failing and sending mails to some account which you
aren't reading.  Maybe logwatch is counting the number of emails
wrong, or differently to how you would expect.

> **Unmatched Entries**
> Jul 19 13:30:08 Dave useradd[4795]: new group: name=vcsa, gid=69
> Jul 19 13:30:08 Dave useradd[4795]: new user: name=vcsa, uid=69, gid=69,
> home=/dev, shell=/sbin/nologin
[...]
> and the user 69 and group 69 sounds like something some script kiddie 
> would use, but doesn't shell=/sbin/nologin mean that they would never be 
> able to log in?  As well, I am using a laptop that only briefly connects 
> to the internet to send/recieve e-mail.

I think people are being overly alarmist in saying that your system
has probably been hacked.

vcsa is the "virtual console memory owner" (/dev/vcs*)

# rpm -q dev --scripts | grep vcsa -B 1
/usr/sbin/useradd -c "virtual console memory owner" -u 69 \
        -s /sbin/nologin -r -d /dev vcsa 2> /dev/null || :

-- 
Geoffrey D. Bennett, RHCE, RHCX               geoffrey at netcraft.com.au
Senior Systems Engineer           http://www.netcraft.com.au/geoffrey/
NetCraft Australia Pty Ltd           http://www.netcraft.com.au/linux/

-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request at linuxsa.org.au with "unsubscribe" as the subject



More information about the linuxsa mailing list