Suspicious File Alert: Do I need to worry?

J

jim.thornton

Verified User
Joined
Jan 1, 2008
Messages
334
I received the following email yesterday and today.

Time: Thu Apr 20 09:05:41 2023 -0400
File: /tmp/.spamassassin16069rJtyOZtmp
Reason: Suspicious directory
Owner: nobody:nobody (99:99)
Action: No action taken
Click to expand...

Is this something I need to worry about?
 
jim.thornton said:
Is this something I need to worry about?
Click to expand...
Not seems to come from Spamassassin. Probably from an update.
Normally the file is cleaned up after the update. If it's not used anymore you could also delete it manually.

Or directory if it's a directory (since the message says directory). You can have a look in it if it's empty or not.
 
I just deleted the directories in my tmp folder. I have not received another one.

But how did it get there?
 
I had the same on a freshly installed server. Might have happend on installing or updating spamassassin for the first time, or maybe something via Cpan if that is used.
I haven't seen it back at the newly installed server either until now. But in my case they were removed automatically. They were already gone when I checked so install or update made a better clean.

Normally temp files get into temp directory's and since root installs and updates spamassassin, seems normal to me.
 
Some files get locked somehow, just delete them to get rid of this notification
 
Hello,

1skMzQ-00000000lIY-1GsJ-D
Time: Sat Aug 31 15:14:00 2024 +0300
File: /tmp/.spamassassin112077HWvW27tmp/.spamassassin
Reason: Suspicious directory
Owner: nobody:nobody (65534:65534)
Action: No action taken


Does anyone have any ideas on how to fix this issue? I just set up a new server and started getting messages like this all the time. 300-500 a day

ALMA LINUX 9x server.
 
Might go away after a couple of days. Had that too on my server. Maybe it takes a reboot, not sure anymore.

Be sure this is in your csf.pignore file:
cmd:spamd child
 
hello Richard,
Thank you for your valuable response.
I added what you said. I hope I will get rid of these messages.
I will post it here whether it is positive or negative. Thanks again for your help and ideas.
 
Richard G said:
Addition, you can also add them all 3 like this:
Code: 
exe:/usr/bin/spamc
exe:/usr/bin/spamd
cmd:spamd child
Click to expand...
I'm so sorry but the problem persists.

Time: Sat Aug 31 21:21:42 2024 +0300
File: /tmp/.spamassassin112077HWvW27tmp
Reason: Suspicious directory
Owner: nobody:nobody (65534:65534)
Action: No action taken
 
It's possible in 2 ways to disable these notices, both are not the best options, but I don't know any other way.

Option 1:
Stop monitoring user "nobody", add the following line to your /etc/csf/csf.pignore file and restart csf and lfd.
user:username

Option 2:
Disable the directory watching. I would suggest that you secure your /tmp directory first. Check this setting in your /etc/csf/csf.conf file, it's set to 1 so you have to change it to 0 like this and then restart csf and lfd.
LF_DIRWATCH = "0"
 
I disable CSF's directory watching...... Although useful, it's like acting as a spammer, especially if you have hundreds of accounts on a server.....

Additionally, Install maldet in notify (live monitoring) mode.
 
Richard G said:
It's possible in 2 ways to disable these notices, both are not the best options, but I don't know any other way.

Option 1:
Stop monitoring user "nobody", add the following line to your /etc/csf/csf.pignore file and restart csf and lfd.
user:username

Option 2:
Disable the directory watching. I would suggest that you secure your /tmp directory first. Check this setting in your /etc/csf/csf.conf file, it's set to 1 so you have to change it to 0 like this and then restart csf and lfd.
LF_DIRWATCH = "0"
Click to expand...

First of all, thank you very much for your answer.
I applied the second option. Let's see if the message system message comes again?

Check this setting in your /etc/csf/csf.conf file, it's set to 1 so you have to change it to 0 like this and then restart csf and lfd.
LF_DIRWATCH = "0"


Also, Dear Richard
One issue that caught my attention here is the security of the tmp folder.
This file is configured with the permissions that come with the standard installation. What kind of security suggestion do you have?
 
th£ lord said:
First of all, thank you very much for your answer.
Click to expand...
You're welcome.

As for your second question, I'm not sure if it's still required. I thought I read somewhere that php-fpm took care of this now. But I use this to secure the /dev/shm and the /tmp and then give enough space to DA for other temp things.

Richard G

Post in thread 'Securing /tmp on a system with a single partition?'

We don't have a ready-script like cpanel has. But you can use one wich I learned in the past here and still use:
Secure /dev/shm
in /etc/fstab change:
none /dev/shm tmpfs defaults,rw 0 0
to
none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0
and remount.
mount -o remount /dev/shm

Secure /tmp I do like this and use 5 GB and create a seperate directory for DA's temp files.
Most services should be stopped running if you don't want to run into errors.
Code: 
dd if=/dev/zero of=/var/tmpMnt bs=1024 count=5000000
mkfs.ext4 -j /var/tmpMnt
cd /
cp -a /tmp /tmp_backup
rm -rf /tmp/.??*...
  • Like
 
Dear Richard,
I think it's solved now. I'm not receiving any messages.
Thank you for your help.
Regards.
 
You must log in or register to reply here.
Back
Top