waldo@admirer:/var$ ll mail
total 32K
4.0k drwxrwsr-x 2 root mail 4.0k nov 16 15:08 .
24k -rw-rw---- 1 waldo mail 19k nov 16 15:08 waldo
4.0K drwxr-xr-x 12 root root 4.0K Nov 29 2019 ..A mailbox is available for the waldo user
This was also found by PEAS earlier
waldo@admirer:/var$ cat mail/waldo
from root@admirer.htb wed apr 22 11:50:01 2020
return-path: <root@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Wed, 22 Apr 2020 11:50:01 +0100
received: from root by admirer.htb with local (Exim 4.89)
(envelope-from <root@admirer.htb>)
id 1jRCx7-0000XY-Op
for root@admirer.htb; wed, 22 apr 2020 11:50:01 +0100
from: root@admirer.htb (Cron Daemon)
to: root@admirer.htb
subject: Cron <root@admirer> rm -r /tmp/*
mime-version: 1.0
content-type: text/plain; charset=UTF-8
content-transfer-encoding: 8bit
x-cron-env: <SHELL=/bin/sh>
x-cron-env: <HOME=/root>
x-cron-env: <PATH=/usr/bin:/bin>
x-cron-env: <LOGNAME=root>
message-id: <E1jRCx7-0000XY-Op@admirer.htb>
date: Wed, 22 Apr 2020 11:50:01 +0100
rm: cannot remove '/tmp/*': No such file or directory
from root@admirer.htb wed apr 22 11:55:01 2020
return-path: <root@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Wed, 22 Apr 2020 11:55:01 +0100
received: from root by admirer.htb with local (Exim 4.89)
(envelope-from <root@admirer.htb>)
id 1jRD1x-0000Xl-Qt
for root@admirer.htb; wed, 22 apr 2020 11:55:01 +0100
from: root@admirer.htb (Cron Daemon)
to: root@admirer.htb
subject: Cron <root@admirer> rm -r /tmp/*
mime-version: 1.0
content-type: text/plain; charset=UTF-8
content-transfer-encoding: 8bit
x-cron-env: <SHELL=/bin/sh>
x-cron-env: <HOME=/root>
x-cron-env: <PATH=/usr/bin:/bin>
x-cron-env: <LOGNAME=root>
message-id: <E1jRD1x-0000Xl-Qt@admirer.htb>
date: Wed, 22 Apr 2020 11:55:01 +0100
rm: cannot remove '/tmp/*': No such file or directory
from root@admirer.htb wed apr 22 12:00:01 2020
return-path: <root@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Wed, 22 Apr 2020 12:00:01 +0100
received: from root by admirer.htb with local (Exim 4.89)
(envelope-from <root@admirer.htb>)
id 1jRD6n-0000Xr-Sz
for root@admirer.htb; wed, 22 apr 2020 12:00:01 +0100
from: root@admirer.htb (Cron Daemon)
to: root@admirer.htb
subject: Cron <root@admirer> rm -r /tmp/*
mime-version: 1.0
content-type: text/plain; charset=UTF-8
content-transfer-encoding: 8bit
x-cron-env: <SHELL=/bin/sh>
x-cron-env: <HOME=/root>
x-cron-env: <PATH=/usr/bin:/bin>
x-cron-env: <LOGNAME=root>
message-id: <E1jRD6n-0000Xr-Sz@admirer.htb>
date: Wed, 22 Apr 2020 12:00:01 +0100
rm: cannot remove '/tmp/*': No such file or directory
from root@admirer.htb wed apr 29 09:50:01 2020
return-path: <root@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Wed, 29 Apr 2020 09:50:01 +0100
received: from root by admirer.htb with local (Exim 4.89)
(envelope-from <root@admirer.htb>)
id 1jTiPp-0000X0-DZ
for root@admirer.htb; wed, 29 apr 2020 09:50:01 +0100
from: root@admirer.htb (Cron Daemon)
to: root@admirer.htb
subject: Cron <root@admirer> rm -r /tmp/*
mime-version: 1.0
content-type: text/plain; charset=UTF-8
content-transfer-encoding: 8bit
x-cron-env: <SHELL=/bin/sh>
x-cron-env: <HOME=/root>
x-cron-env: <PATH=/usr/bin:/bin>
x-cron-env: <LOGNAME=root>
message-id: <E1jTiPp-0000X0-DZ@admirer.htb>
date: Wed, 29 Apr 2020 09:50:01 +0100
rm: cannot remove '/tmp/*': No such file or directory
from root@admirer.htb wed apr 29 09:55:01 2020
return-path: <root@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Wed, 29 Apr 2020 09:55:01 +0100
received: from root by admirer.htb with local (Exim 4.89)
(envelope-from <root@admirer.htb>)
id 1jTiUf-0000aC-Fc
for root@admirer.htb; wed, 29 apr 2020 09:55:01 +0100
from: root@admirer.htb (Cron Daemon)
to: root@admirer.htb
subject: Cron <root@admirer> rm -r /tmp/*
mime-version: 1.0
content-type: text/plain; charset=UTF-8
content-transfer-encoding: 8bit
x-cron-env: <SHELL=/bin/sh>
x-cron-env: <HOME=/root>
x-cron-env: <PATH=/usr/bin:/bin>
x-cron-env: <LOGNAME=root>
message-id: <E1jTiUf-0000aC-Fc@admirer.htb>
date: Wed, 29 Apr 2020 09:55:01 +0100
rm: cannot remove '/tmp/*': No such file or directory
from root@admirer.htb wed apr 29 10:00:01 2020
return-path: <root@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Wed, 29 Apr 2020 10:00:01 +0100
received: from root by admirer.htb with local (Exim 4.89)
(envelope-from <root@admirer.htb>)
id 1jTiZV-0000aP-IK
for root@admirer.htb; wed, 29 apr 2020 10:00:01 +0100
from: root@admirer.htb (Cron Daemon)
to: root@admirer.htb
subject: Cron <root@admirer> rm -r /tmp/*
mime-version: 1.0
content-type: text/plain; charset=UTF-8
content-transfer-encoding: 8bit
x-cron-env: <SHELL=/bin/sh>
x-cron-env: <HOME=/root>
x-cron-env: <PATH=/usr/bin:/bin>
x-cron-env: <LOGNAME=root>
message-id: <E1jTiZV-0000aP-IK@admirer.htb>
date: Wed, 29 Apr 2020 10:00:01 +0100
rm: cannot remove '/tmp/*': No such file or directory
from root@admirer.htb wed apr 29 10:05:01 2020
return-path: <root@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Wed, 29 Apr 2020 10:05:01 +0100
received: from root by admirer.htb with local (Exim 4.89)
(envelope-from <root@admirer.htb>)
id 1jTieL-0000aV-Kk
for root@admirer.htb; wed, 29 apr 2020 10:05:01 +0100
from: root@admirer.htb (Cron Daemon)
to: root@admirer.htb
subject: Cron <root@admirer> rm -r /tmp/*
mime-version: 1.0
content-type: text/plain; charset=UTF-8
content-transfer-encoding: 8bit
x-cron-env: <SHELL=/bin/sh>
x-cron-env: <HOME=/root>
x-cron-env: <PATH=/usr/bin:/bin>
x-cron-env: <LOGNAME=root>
message-id: <E1jTieL-0000aV-Kk@admirer.htb>
date: Wed, 29 Apr 2020 10:05:01 +0100
rm: cannot remove '/tmp/*': No such file or directory
from root@admirer.htb wed apr 29 10:10:01 2020
return-path: <root@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Wed, 29 Apr 2020 10:10:01 +0100
received: from root by admirer.htb with local (Exim 4.89)
(envelope-from <root@admirer.htb>)
id 1jTijB-0000bc-Q5
for root@admirer.htb; wed, 29 apr 2020 10:10:01 +0100
from: root@admirer.htb (Cron Daemon)
to: root@admirer.htb
subject: Cron <root@admirer> rm -r /tmp/*
mime-version: 1.0
content-type: text/plain; charset=UTF-8
content-transfer-encoding: 8bit
x-cron-env: <SHELL=/bin/sh>
x-cron-env: <HOME=/root>
x-cron-env: <PATH=/usr/bin:/bin>
x-cron-env: <LOGNAME=root>
message-id: <E1jTijB-0000bc-Q5@admirer.htb>
date: Wed, 29 Apr 2020 10:10:01 +0100
rm: cannot remove '/tmp/*': No such file or directory
from root@admirer.htb wed apr 29 10:15:01 2020
return-path: <root@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Wed, 29 Apr 2020 10:15:01 +0100
received: from root by admirer.htb with local (Exim 4.89)
(envelope-from <root@admirer.htb>)
id 1jTio1-0000cZ-SR
for root@admirer.htb; wed, 29 apr 2020 10:15:01 +0100
from: root@admirer.htb (Cron Daemon)
to: root@admirer.htb
subject: Cron <root@admirer> rm -r /tmp/*
mime-version: 1.0
content-type: text/plain; charset=UTF-8
content-transfer-encoding: 8bit
x-cron-env: <SHELL=/bin/sh>
x-cron-env: <HOME=/root>
x-cron-env: <PATH=/usr/bin:/bin>
x-cron-env: <LOGNAME=root>
message-id: <E1jTio1-0000cZ-SR@admirer.htb>
date: Wed, 29 Apr 2020 10:15:01 +0100
rm: cannot remove '/tmp/*': No such file or directory
from root@admirer.htb wed apr 29 10:20:02 2020
return-path: <root@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Wed, 29 Apr 2020 10:20:02 +0100
received: from root by admirer.htb with local (Exim 4.89)
(envelope-from <root@admirer.htb>)
id 1jTisr-0000dG-Uz
for root@admirer.htb; wed, 29 apr 2020 10:20:01 +0100
from: root@admirer.htb (Cron Daemon)
to: root@admirer.htb
subject: Cron <root@admirer> rm -r /tmp/*
mime-version: 1.0
content-type: text/plain; charset=UTF-8
content-transfer-encoding: 8bit
x-cron-env: <SHELL=/bin/sh>
x-cron-env: <HOME=/root>
x-cron-env: <PATH=/usr/bin:/bin>
x-cron-env: <LOGNAME=root>
message-id: <E1jTisr-0000dG-Uz@admirer.htb>
date: Wed, 29 Apr 2020 10:20:01 +0100
rm: cannot remove '/tmp/*': No such file or directory
from root@admirer.htb wed apr 29 10:40:01 2020
return-path: <root@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Wed, 29 Apr 2020 10:40:01 +0100
received: from root by admirer.htb with local (Exim 4.89)
(envelope-from <root@admirer.htb>)
id 1jTjCD-0000Y1-Hz
for root@admirer.htb; wed, 29 apr 2020 10:40:01 +0100
from: root@admirer.htb (Cron Daemon)
to: root@admirer.htb
subject: Cron <root@admirer> rm -r /tmp/*
mime-version: 1.0
content-type: text/plain; charset=UTF-8
content-transfer-encoding: 8bit
x-cron-env: <SHELL=/bin/sh>
x-cron-env: <HOME=/root>
x-cron-env: <PATH=/usr/bin:/bin>
x-cron-env: <LOGNAME=root>
message-id: <E1jTjCD-0000Y1-Hz@admirer.htb>
date: Wed, 29 Apr 2020 10:40:01 +0100
rm: cannot remove '/tmp/*': No such file or directory
from root@admirer.htb wed apr 29 10:45:01 2020
return-path: <root@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Wed, 29 Apr 2020 10:45:01 +0100
received: from root by admirer.htb with local (Exim 4.89)
(envelope-from <root@admirer.htb>)
id 1jTjH3-0000Y8-KD
for root@admirer.htb; wed, 29 apr 2020 10:45:01 +0100
from: root@admirer.htb (Cron Daemon)
to: root@admirer.htb
subject: Cron <root@admirer> rm -r /tmp/*
mime-version: 1.0
content-type: text/plain; charset=UTF-8
content-transfer-encoding: 8bit
x-cron-env: <SHELL=/bin/sh>
x-cron-env: <HOME=/root>
x-cron-env: <PATH=/usr/bin:/bin>
x-cron-env: <LOGNAME=root>
message-id: <E1jTjH3-0000Y8-KD@admirer.htb>
date: Wed, 29 Apr 2020 10:45:01 +0100
rm: cannot remove '/tmp/*': No such file or directory
from root@admirer.htb wed apr 29 10:50:01 2020
return-path: <root@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Wed, 29 Apr 2020 10:50:01 +0100
received: from root by admirer.htb with local (Exim 4.89)
(envelope-from <root@admirer.htb>)
id 1jTjLt-0000YF-MR
for root@admirer.htb; wed, 29 apr 2020 10:50:01 +0100
from: root@admirer.htb (Cron Daemon)
to: root@admirer.htb
subject: Cron <root@admirer> rm -r /tmp/*
mime-version: 1.0
content-type: text/plain; charset=UTF-8
content-transfer-encoding: 8bit
x-cron-env: <SHELL=/bin/sh>
x-cron-env: <HOME=/root>
x-cron-env: <PATH=/usr/bin:/bin>
x-cron-env: <LOGNAME=root>
message-id: <E1jTjLt-0000YF-MR@admirer.htb>
date: Wed, 29 Apr 2020 10:50:01 +0100
rm: cannot remove '/tmp/*': No such file or directory
from root@admirer.htb wed apr 29 10:55:01 2020
return-path: <root@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Wed, 29 Apr 2020 10:55:01 +0100
received: from root by admirer.htb with local (Exim 4.89)
(envelope-from <root@admirer.htb>)
id 1jTjQj-0000Yi-Ol
for root@admirer.htb; wed, 29 apr 2020 10:55:01 +0100
from: root@admirer.htb (Cron Daemon)
to: root@admirer.htb
subject: Cron <root@admirer> rm -r /tmp/*
mime-version: 1.0
content-type: text/plain; charset=UTF-8
content-transfer-encoding: 8bit
x-cron-env: <SHELL=/bin/sh>
x-cron-env: <HOME=/root>
x-cron-env: <PATH=/usr/bin:/bin>
x-cron-env: <LOGNAME=root>
message-id: <E1jTjQj-0000Yi-Ol@admirer.htb>
date: Wed, 29 Apr 2020 10:55:01 +0100
rm: cannot remove '/tmp/*': No such file or directory
from root@admirer.htb wed apr 29 11:05:01 2020
return-path: <root@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Wed, 29 Apr 2020 11:05:01 +0100
received: from root by admirer.htb with local (Exim 4.89)
(envelope-from <root@admirer.htb>)
id 1jTjaP-0000Zf-Rd
for root@admirer.htb; wed, 29 apr 2020 11:05:01 +0100
from: root@admirer.htb (Cron Daemon)
to: root@admirer.htb
subject: Cron <root@admirer> rm -r /tmp/*
mime-version: 1.0
content-type: text/plain; charset=UTF-8
content-transfer-encoding: 8bit
x-cron-env: <SHELL=/bin/sh>
x-cron-env: <HOME=/root>
x-cron-env: <PATH=/usr/bin:/bin>
x-cron-env: <LOGNAME=root>
message-id: <E1jTjaP-0000Zf-Rd@admirer.htb>
date: Wed, 29 Apr 2020 11:05:01 +0100
rm: cannot remove '/tmp/*': No such file or directory
from root@admirer.htb wed apr 29 11:09:01 2020
return-path: <root@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Wed, 29 Apr 2020 11:09:01 +0100
received: from root by admirer.htb with local (Exim 4.89)
(envelope-from <root@admirer.htb>)
id 1jTjeH-0000aO-Tk
for root@admirer.htb; wed, 29 apr 2020 11:09:01 +0100
from: root@admirer.htb (Cron Daemon)
to: root@admirer.htb
subject: Cron <root@admirer> rm -r /tmp/*.*
mime-version: 1.0
content-type: text/plain; charset=UTF-8
content-transfer-encoding: 8bit
x-cron-env: <SHELL=/bin/sh>
x-cron-env: <HOME=/root>
x-cron-env: <PATH=/usr/bin:/bin>
x-cron-env: <LOGNAME=root>
message-id: <E1jTjeH-0000aO-Tk@admirer.htb>
date: Wed, 29 Apr 2020 11:09:01 +0100
rm: cannot remove '/tmp/*.*': No such file or directory
from root@admirer.htb wed apr 29 11:10:02 2020
return-path: <root@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Wed, 29 Apr 2020 11:10:02 +0100
received: from root by admirer.htb with local (Exim 4.89)
(envelope-from <root@admirer.htb>)
id 1jTjfF-0000bC-Vu
for root@admirer.htb; wed, 29 apr 2020 11:10:01 +0100
from: root@admirer.htb (Cron Daemon)
to: root@admirer.htb
subject: Cron <root@admirer> rm /home/waldo/*.p*
mime-version: 1.0
content-type: text/plain; charset=UTF-8
content-transfer-encoding: 8bit
x-cron-env: <SHELL=/bin/sh>
x-cron-env: <HOME=/root>
x-cron-env: <PATH=/usr/bin:/bin>
x-cron-env: <LOGNAME=root>
message-id: <E1jTjfF-0000bC-Vu@admirer.htb>
date: Wed, 29 Apr 2020 11:10:01 +0100
rm: cannot remove '/home/waldo/*.p*': No such file or directory
from root@admirer.htb wed apr 29 11:12:02 2020
return-path: <root@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Wed, 29 Apr 2020 11:12:02 +0100
received: from root by admirer.htb with local (Exim 4.89)
(envelope-from <root@admirer.htb>)
id 1jTjhC-0000bf-2B
for root@admirer.htb; wed, 29 apr 2020 11:12:02 +0100
from: root@admirer.htb (Cron Daemon)
to: root@admirer.htb
subject: Cron <root@admirer> rm /home/waldo/*.p*
mime-version: 1.0
content-type: text/plain; charset=UTF-8
content-transfer-encoding: 8bit
x-cron-env: <SHELL=/bin/sh>
x-cron-env: <HOME=/root>
x-cron-env: <PATH=/usr/bin:/bin>
x-cron-env: <LOGNAME=root>
message-id: <E1jTjhC-0000bf-2B@admirer.htb>
date: Wed, 29 Apr 2020 11:12:02 +0100
rm: cannot remove '/home/waldo/*.p*': No such file or directory
from root@admirer.htb wed apr 29 11:13:01 2020
return-path: <root@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Wed, 29 Apr 2020 11:13:01 +0100
received: from root by admirer.htb with local (Exim 4.89)
(envelope-from <root@admirer.htb>)
id 1jTji9-0000bm-4I
for root@admirer.htb; wed, 29 apr 2020 11:13:01 +0100
from: root@admirer.htb (Cron Daemon)
to: root@admirer.htb
subject: Cron <root@admirer> rm /home/waldo/*.p*
mime-version: 1.0
content-type: text/plain; charset=UTF-8
content-transfer-encoding: 8bit
x-cron-env: <SHELL=/bin/sh>
x-cron-env: <HOME=/root>
x-cron-env: <PATH=/usr/bin:/bin>
x-cron-env: <LOGNAME=root>
message-id: <E1jTji9-0000bm-4I@admirer.htb>
date: Wed, 29 Apr 2020 11:13:01 +0100
rm: cannot remove '/home/waldo/*.p*': No such file or directory
from root@admirer.htb wed apr 29 11:14:01 2020
return-path: <root@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Wed, 29 Apr 2020 11:14:01 +0100
received: from root by admirer.htb with local (Exim 4.89)
(envelope-from <root@admirer.htb>)
id 1jTjj7-0000c4-6S
for root@admirer.htb; wed, 29 apr 2020 11:14:01 +0100
from: root@admirer.htb (Cron Daemon)
to: root@admirer.htb
subject: Cron <root@admirer> rm /home/waldo/*.p*
mime-version: 1.0
content-type: text/plain; charset=UTF-8
content-transfer-encoding: 8bit
x-cron-env: <SHELL=/bin/sh>
x-cron-env: <HOME=/root>
x-cron-env: <PATH=/usr/bin:/bin>
x-cron-env: <LOGNAME=root>
message-id: <E1jTjj7-0000c4-6S@admirer.htb>
date: Wed, 29 Apr 2020 11:14:01 +0100
rm: cannot remove '/home/waldo/*.p*': No such file or directory
from root@admirer.htb thu aug 24 16:05:11 2023
return-path: <root@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Thu, 24 Aug 2023 16:05:11 +0100
received: from root by admirer.htb with local (Exim 4.89)
(envelope-from <root@admirer.htb>)
id 1qZBtD-0000y1-GN
for root@admirer.htb; thu, 24 aug 2023 16:04:51 +0100
auto-submitted: auto-generated
subject: =?utf-8?q?apt-listchanges=3A_news_for_admirer?=
to: root@admirer.htb
mime-version: 1.0
content-type: text/plain; charset="utf-8"
content-transfer-encoding: 7bit
message-id: <E1qZBtD-0000y1-GN@admirer.htb>
from: root <root@admirer.htb>
date: Thu, 24 Aug 2023 16:04:51 +0100
linux-latest (80+deb9u16) stretch-security; urgency=high
* From Linux 4.9.303-1, the Extended Berkeley Packet Fillter (eBPF)
facility is no longer enabled by default for users without the
CAP_SYS_ADMIN capability (this normally means only the root user).
eBPF can be used for speculative execution side-channel attacks, and
earlier attempts to mitigate this have not completely succeeded.
this can be overridden by setting the sysctl:
kernel.unprivileged_bpf_disabled=0
-- ben hutchings <benh@debian.org> mon, 07 mar 2022 22:37:11 +0100
cron (3.0pl1-128+deb9u2) stretch-security; urgency=medium
* As a reasonable protective measure, crontabs are now limited to 10000 lines
in length per crontab.
The maintainers find it very unlikely that longer crontabs exist; however,
if you do have a use case, please file a bug report with a brief rationale,
and we will consider raising this limit.
-- christian kastner <ckk@debian.org> sun, 10 mar 2019 17:44:13 +0100
from waldo@admirer.htb thu nov 16 14:53:37 2023
return-path: <waldo@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Thu, 16 Nov 2023 14:53:37 +0000
received: from waldo by admirer.htb with local (Exim 4.89)
(envelope-from <waldo@admirer.htb>)
id 1r3dk5-0003Du-Iy
for root@admirer.htb; thu, 16 nov 2023 14:53:17 +0000
to: root@admirer.htb
auto-submitted: auto-generated
subject: *** SECURITY information for admirer.htb ***
from: Waldo Cooper <waldo@admirer.htb>
message-id: <E1r3dk5-0003Du-Iy@admirer.htb>
date: Thu, 16 Nov 2023 14:53:17 +0000
admirer.htb : Nov 16 14:52:57 : waldo : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/run/shm ; USER=root ; COMMAND=list
from waldo@admirer.htb thu nov 16 15:08:56 2023
return-path: <waldo@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Thu, 16 Nov 2023 15:08:56 +0000
received: from waldo by admirer.htb with local (Exim 4.89)
(envelope-from <waldo@admirer.htb>)
id 1r3dyu-0005Z2-F9
for root@admirer.htb; thu, 16 nov 2023 15:08:36 +0000
to: root@admirer.htb
auto-submitted: auto-generated
subject: *** SECURITY information for admirer.htb ***
from: Waldo Cooper <waldo@admirer.htb>
message-id: <E1r3dyu-0005Z2-F9@admirer.htb>
date: Thu, 16 Nov 2023 15:08:36 +0000
admirer.htb : Nov 16 15:08:16 : waldo : a password is required ; TTY=pts/1 ; PWD=/run/shm ; USER=root ; COMMAND=/usr/bin/id
from waldo@admirer.htb thu nov 16 15:08:56 2023
return-path: <waldo@admirer.htb>
envelope-to: root@admirer.htb
delivery-date: Thu, 16 Nov 2023 15:08:56 +0000
received: from waldo by admirer.htb with local (Exim 4.89)
(envelope-from <waldo@admirer.htb>)
id 1r3dyu-0005ZY-Ew
for root@admirer.htb; thu, 16 nov 2023 15:08:36 +0000
to: root@admirer.htb
auto-submitted: auto-generated
subject: *** SECURITY information for admirer.htb ***
from: Waldo Cooper <waldo@admirer.htb>
message-id: <E1r3dyu-0005ZY-Ew@admirer.htb>
date: Thu, 16 Nov 2023 15:08:36 +0000
admirer.htb : Nov 16 15:08:16 : waldo : a password is required ; TTY=pts/1 ; PWD=/run/shm ; USER=root ; COMMAND=listThere are a lot of mails came to the waldo user
While most of them are automated messages from authentication, the rest are from cronjob.
It’s about 2 following things;
rm: cannot remove '/tmp/*': No such file or directoryrm: cannot remove '/home/waldo/*.p*': No such file or directory
Cronjob
That indicates that there is a cronjob, in the background, actively executing the following suspected commands;
rm -rf /tmp/*rm -rf /home/waldo/*.p*