Atomicorp

After updating ossec and asl this morning i'm getting the following Ossec messages almost every minute. Anyone have a clue on what could have caused this.

OSSEC HIDS Notification.
2010 Mar 24 09:45:06

Received From: inet3170->/var/log/psa/maillog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Mar 24 09:45:05 inet3170 spamd[30589]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /var/qmail/mailnames///.spamassassin/auto-whitelist.lock.inetxxxx.xxxxxxxx.com.30589 for /var/qmail/mailnames///.spamassassin/auto-whitelist.lock: No such file or directory



--END OF NOTIFICATION



OSSEC HIDS Notification.
2010 Mar 24 09:45:06

Received From: inet3170->/var/log/psa/maillog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Mar 24 09:45:05 inet3170 X-Qmail-Scanner-2.08st: [inetxxxx.xxxxxxx.com126943830179031522] Unable to close pipe to /var/qmail/bin/qmail-queue.orig [61] (#4.3.0) - Illegal seek



--END OF NOTIFICATION

That means that whatever user spamd is running as cant write to /var/qmail/mailnames///.spamassassin/

All i see is either popuser or root using spamd when running TOP command. what i don't understand is how this was not a problem before then after i updated asl and ossec this morning and now all of a sudden this is happening.

And not sure where to begin to fix it.

Probably because it wasnt able to detect it before. ASL 2.2.5 & OSSEC 2.4 can detect mail events now (like smtp/pop/imap brute forcing). Previous versions couldnt parse the mail logs. This has probably been happening for a while, just wasnt being reported.

So good guess is to probably remove spamassassin and qmail-scanner and re-install them all or am i way off? But if i do that does'nt it remove the atomic-scanner also? not sure what order i should choose.

That Illegal seek message is caused by a bug in Plesk's qmail. There is a patched qmail-queue here: http://forum.parallels.com/showpost.php ... stcount=51

If you're using qmail-scanner make sure you replace /var/qmail/bin/qmail-queue.orig with the patched version (and match that file's ownership and permissions) instead of /var/qmail/bin/qmail-queue.