[CentOS] samba & samba-common installed then erased, but by whom?

Fri May 16 15:59:38 UTC 2008
Ned Slider <ned at unixmail.co.uk>

Johnny Tan wrote:
> I saw this in Logwatch today for one of my servers:
>  --------------------- yum Begin ------------------------
>  Packages Installed:
>     samba-common.i386 3.0.23c-2.el5.2.0.2
>     samba.i386 3.0.23c-2.el5.2.0.2
>  Packages Erased:
>     samba-common
>     samba
>  ---------------------- yum End -------------------------
> No one, including myself, has even logged into this box in the past few 
> days (verified by asking the only other two people who have access and 
> also looking at the last & secure logs).
> And neither /var/log/yum.log or /var/log/rpmpkgs shows samba at all 
> being installed/erased/present.
> I ran both chkrootkit and rkhunter, and both turned up clean.
> Since this box is behind a firewall with only a few IPs given access to 
> it, I'm thinking that it's not been rooted, but I can't seem to find any 
> other explanation for this.
> The only thing that runs on this server is httpd and jetty. Everything 
> else is done manually including yum updates. And nothing that runs on 
> this machine would ever need samba.
> Has anyone ever encountered something like this?
> johnn
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

If I may refer you to this thread, I believe your observations are 
similar to mine earlier this month:


and the cause is likely similar. Checking /var/log/yum.log for entries 1 
year ago should confirm this.