[CentOS] samba & samba-common installed then erased, but by whom?

Ned Slider ned at unixmail.co.uk
Fri May 16 15:59:38 UTC 2008


Johnny Tan wrote:
> I saw this in Logwatch today for one of my servers:
> 
>  --------------------- yum Begin ------------------------
> 
> 
>  Packages Installed:
>     samba-common.i386 3.0.23c-2.el5.2.0.2
>     samba.i386 3.0.23c-2.el5.2.0.2
> 
>  Packages Erased:
>     samba-common
>     samba
> 
>  ---------------------- yum End -------------------------
> 
> No one, including myself, has even logged into this box in the past few 
> days (verified by asking the only other two people who have access and 
> also looking at the last & secure logs).
> 
> And neither /var/log/yum.log or /var/log/rpmpkgs shows samba at all 
> being installed/erased/present.
> 
> I ran both chkrootkit and rkhunter, and both turned up clean.
> 
> Since this box is behind a firewall with only a few IPs given access to 
> it, I'm thinking that it's not been rooted, but I can't seem to find any 
> other explanation for this.
> 
> The only thing that runs on this server is httpd and jetty. Everything 
> else is done manually including yum updates. And nothing that runs on 
> this machine would ever need samba.
> 
> Has anyone ever encountered something like this?
> 
> johnn
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 

If I may refer you to this thread, I believe your observations are 
similar to mine earlier this month:

http://lists.centos.org/pipermail/centos/2008-May/098839.html

and the cause is likely similar. Checking /var/log/yum.log for entries 1 
year ago should confirm this.

Regards,

Ned



More information about the CentOS mailing list