Security Incidents mailing list archives
Re: BOGUS.IvCD File
From: vanja () RELAYGROUP COM (Vanja Hrustic)
Date: Thu, 27 Jan 2000 23:27:03 +0700
"Jonathan A. Zdziarski" wrote:
I'm really curious to know where this file came from. I found it in /var/mail. Does anyone know any program that uses this as a tempfile or could it have been a possible exploit attempt? -rw------- 1 root mail 0 Jan 17 11:45 BOGUS.IvCD Thank you,
Johathan, This is from procmail man page: == If /var/spool/mail/$LOGNAME is a bogus mailbox (i.e. does not belong to the recipient, is unwritable, is a symbolic link or is a hard link), procmail will upon startup try to rename it into a file starting with `BOGUS.$LOGNAME.' and ending in an inode-sequence-code. == However, in cases like this, the file always contain username. It seems that root mailbox was not writable for whatever reason and procmail has created that file, but I am not sure if procmail *should* create 'BOGUS.root.IvCD' file, not 'BOGUS.IvCD'. I've only seen problems with mailboxes of normal users, never had problems with root's mailbox. Hope this helps. Regards, Vanja Hrustic The Relay Group http://relaygroup.com Technology Ahead of Time
Current thread:
- Re: unapproved AXFR, (continued)
- Re: unapproved AXFR Russell Fulton (Jan 24)
- No Idea CN (Jan 25)
- PC Anywhere client seems to probe class C of connected networks Troy Ablan (Jan 25)
- Re: PC Anywhere client seems to probe class C of connected networks Steve Ellermann (Jan 26)
- Re: PC Anywhere client seems to probe class C of connected networks Paul L Schmehl (Jan 26)
- Re: PC Anywhere client seems to probe class C of connected networks Jose Nazario (Jan 26)
- Anti-Death Penalty Robert Graham (Jan 26)
- Re: Anti-Death Penalty Derek Moeller (Jan 28)
- Re: Anti-Death Penalty Robert Graham (Jan 28)
- BOGUS.IvCD File Jonathan A. Zdziarski (Jan 26)
- Re: BOGUS.IvCD File Vanja Hrustic (Jan 27)
- Re: PC Anywhere client seems to probe class C of connected networks Robert Graham (Jan 26)
- Probes to tcp 2766 ('System V Listner') Russell Fulton (Jan 26)
- Re: No Idea Paul L Schmehl (Jan 25)
- Re: No Idea Robert Graham (Jan 25)
- Possible Probe = Possible Malfunction Ron Gula (Jan 25)
- Possible attemt at hacking? Geir A. Bjune (Jan 25)
- Re: Possible attemt at hacking? Brendan Grieve (Jan 27)
- Re: ? Adam Boileau (Jan 25)
- Korea (was RE: ?) Fernando Cardoso (Jan 26)
- Strange DNS/TCP activity Pavel Kankovsky (Jan 26)