I saw this in Logwatch today for one of my servers:
--------------------- yum Begin ------------------------
Packages Installed: samba-common.i386 3.0.23c-2.el5.2.0.2 samba.i386 3.0.23c-2.el5.2.0.2
Packages Erased: samba-common samba
---------------------- yum End -------------------------
No one, including myself, has even logged into this box in the past few days (verified by asking the only other two people who have access and also looking at the last & secure logs).
And neither /var/log/yum.log or /var/log/rpmpkgs shows samba at all being installed/erased/present.
I ran both chkrootkit and rkhunter, and both turned up clean.
Since this box is behind a firewall with only a few IPs given access to it, I'm thinking that it's not been rooted, but I can't seem to find any other explanation for this.
The only thing that runs on this server is httpd and jetty. Everything else is done manually including yum updates. And nothing that runs on this machine would ever need samba.
Has anyone ever encountered something like this?
johnn
Johnny Tan wrote:
I saw this in Logwatch today for one of my servers:
--------------------- yum Begin ------------------------
Packages Installed: samba-common.i386 3.0.23c-2.el5.2.0.2 samba.i386 3.0.23c-2.el5.2.0.2
Packages Erased: samba-common samba
---------------------- yum End -------------------------
No one, including myself, has even logged into this box in the past few days (verified by asking the only other two people who have access and also looking at the last & secure logs).
And neither /var/log/yum.log or /var/log/rpmpkgs shows samba at all being installed/erased/present.
I ran both chkrootkit and rkhunter, and both turned up clean.
Since this box is behind a firewall with only a few IPs given access to it, I'm thinking that it's not been rooted, but I can't seem to find any other explanation for this.
The only thing that runs on this server is httpd and jetty. Everything else is done manually including yum updates. And nothing that runs on this machine would ever need samba.
Has anyone ever encountered something like this?
johnn _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
If I may refer you to this thread, I believe your observations are similar to mine earlier this month:
http://lists.centos.org/pipermail/centos/2008-May/098839.html
and the cause is likely similar. Checking /var/log/yum.log for entries 1 year ago should confirm this.
Regards,
Ned
On Fri, May 16, 2008 at 11:59 AM, Ned Slider ned@unixmail.co.uk wrote:
Johnny Tan wrote:
I saw this in Logwatch today for one of my servers:
Checking /var/log/yum.log for entries 1 year ago should confirm this.
As this bit me once and I've just seen two people bitten by it again, I've taken the matter upstream: https://bugzilla.redhat.com/show_bug.cgi?id=447021
I hope they'll accept the suggestion.
Thanks, Filipe
Filipe Brandenburger wrote:
On Fri, May 16, 2008 at 11:59 AM, Ned Slider ned@unixmail.co.uk wrote:
Johnny Tan wrote:
I saw this in Logwatch today for one of my servers:
Checking /var/log/yum.log for entries 1 year ago should confirm this.
As this bit me once and I've just seen two people bitten by it again, I've taken the matter upstream: https://bugzilla.redhat.com/show_bug.cgi?id=447021
I hope they'll accept the suggestion.
Thanks, Filipe
Thanks Filipe, as one of those bitten I've subscribed to the bug.
And another pet peeve of mine with logrotate: https://bugzilla.redhat.com/show_bug.cgi?id=447022
Once after an unclean reboot I got a corrupted /var/lib/logrotate.status, and after that logrotate just stopped working. The thing was that the server generated hundreds of megs per hour of log, and without logrotate very quickly we had a multi-gigabyte log in our hands.
Let's see if they will make this a more robust tool than it is today.
Filipe
On 16/05/2008, Johnny Tan linuxweb@gmail.com wrote:
And neither /var/log/yum.log or /var/log/rpmpkgs shows samba at all being installed/erased/present.
It might be worthwhile checking how often / at what size you yum.log file gets rotated. It could be that you are seeing the entry in /var/log/yum.log from a year ago . . .
Alan.
-
Alan Bartlett -
Filipe Brandenburger -
Johnny Tan -
Ned Slider