Security Incidents mailing list archives
Re: Suspicious files in Solaris (fwd)
From: ssh () SHN NU (Sean Sosik-Hamor)
Date: Mon, 15 May 2000 09:05:51 -0400
On Wed, 10 May 2000, Dave Dittrich wrote: # Anybody know what these files could be from? # # -rw------- 1 nobody 0 Apr 23 04:22 BOGUS.root.e # -rw------- 1 nobody 0 May 1 08:59 BOGUS.root.h Don't tell me...you run qmail and have symlinks from /var/mail/root to /Mailbox or /home/root/Mailbox? You also probably run procmail. If procmail discovers a symlink or a mailbox that it deems invalid, it will move the file/symlink/whatever to BOGUS.luser.something and create the mailbox. A real pain for qmail users that have done the quick hack to just symlink /var/mail/luser to /home/luser/Mailbox so POP servers can see it. Example: core:hamors {107} cd /var/mail core:mail {108} ls -al *zk* lrwxr-xr-x 1 zkhan wheel 19 Dec 9 10:27 BOGUS.zkhan.gZJ -> /home/zkhan/Mailbox -rw------- 1 zkhan zkhan 0 Dec 9 10:34 zkhan core:mail {109} /Sean/
Current thread:
- Suspicious files in Solaris (fwd) Dave Dittrich (May 10)
- Re: Suspicious files in Solaris (fwd) Robert van der Meulen (May 15)
- Re: Suspicious files in Solaris (fwd) Sean Sosik-Hamor (May 15)
- Korea a classic ? was: IP blacklist Jens Hektor (May 15)
- Re: Suspicious files in Solaris (fwd) Michael H. Warfield (May 15)