[1794] in RedHat Linux List
Re:Intrusion
daemon@ATHENA.MIT.EDU (Wierdl Mate)
Wed Oct 30 08:49:52 1996
To: redhat-list@redhat.com, iburrell@leland.Stanford.EDU
Date: Wed, 30 Oct 1996 08:47:51 -0600
From: Wierdl Mate <matyi@wierdlmpc.msci.memphis.edu>
Resent-From: redhat-list@redhat.com
Reply-To: redhat-list@redhat.com
>>I just got this mail:
>>
>> From: root@moni.msci.memphis.edu (Cron Daemon)
>> To: root@moni.msci.memphis.edu
>> Subject: Cron <root@moni> /usr/sbin/tmpwatch 240 /tmp /var/tmp
>> X-Cron-Env: <SHELL=/bin/bash>
>> X-Cron-Env: <PATH=/sbin:/bin:/usr/sbin:/usr/bin>
>> X-Cron-Env: <MAILTO=root>
>> X-Cron-Env: <HOME=/root>
>> X-Cron-Env: <LOGNAME=root>
>>
>>
>>
>> error: error: inode information changed for No such file or
>> directory!!!this indicates a possible intrusion attempt
>>
>>
>> Is it possible that this is just caused by moving /tmp to a
>> different disk and now I have the link
>>
>> tmp ->> /disk02/tmp/
>>
>I got the same error message after moving my /var/tmp to a different
>disk and making the link. The solution so you don't get this message
>every day is to change the tmpwatch line to use the actual path name.
Great, now everything is working fine; I just changed crontab as you
suggested. I wonder though why tmpwatch (or cron) is not willing to
deal with symbolic links --- and sends scary messages.
Mate
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
________________________________________________________________________
http://www.redhat.com/RedHat-FAQ http://www.redhat.com/RedHat-Errata
http://www.redhat.com/RedHat-Tips http://www.redhat.com/mailing-lists
------------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe redhat-list-request@redhat.com < /dev/null
