Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BOGUS.IvCD File

From: vanja () RELAYGROUP COM (Vanja Hrustic)
Date: Thu, 27 Jan 2000 23:27:03 +0700

"Jonathan A. Zdziarski" wrote:


I'm really curious to know where this file came from.  I found it in /var/mail.  Does anyone know any program that 
uses this as a tempfile or could it have been a possible exploit attempt?

-rw-------   1 root          mail           0 Jan 17 11:45 BOGUS.IvCD

Thank you,


Johathan,

This is from procmail man page:

==
If /var/spool/mail/$LOGNAME is a bogus mailbox (i.e. does not belong to
the recipient, is unwritable, is a symbolic link or is a hard link),
procmail will upon startup try to rename it into a file starting with
`BOGUS.$LOGNAME.' and ending in an inode-sequence-code.
==

However, in cases like this, the file always contain username. It seems
that root mailbox was not writable for whatever reason and procmail has
created that file, but I am not sure if procmail *should* create
'BOGUS.root.IvCD' file, not 'BOGUS.IvCD'. I've only seen problems with
mailboxes of normal users, never had problems with root's mailbox.

Hope this helps.

Regards,

Vanja Hrustic
The Relay Group
http://relaygroup.com
Technology Ahead of Time
Previous By Date Next
Previous By Thread Next

Current thread: