Security Incidents mailing list archives

Re: Suspicious files in Solaris (fwd)

From: ssh () SHN NU (Sean Sosik-Hamor)
Date: Mon, 15 May 2000 09:05:51 -0400


On Wed, 10 May 2000, Dave Dittrich wrote:

# Anybody know what these files could be from?
#
# -rw-------   1 nobody          0 Apr 23 04:22 BOGUS.root.e
# -rw-------   1 nobody          0 May  1 08:59 BOGUS.root.h

Don't tell me...you run qmail and have symlinks from /var/mail/root to
/Mailbox or /home/root/Mailbox?  You also probably run procmail.  If
procmail discovers a symlink or a mailbox that it deems invalid, it
will move the file/symlink/whatever to BOGUS.luser.something and
create the mailbox.  A real pain for qmail users that have done the
quick hack to just symlink /var/mail/luser to /home/luser/Mailbox so
POP servers can see it.

Example:

core:hamors {107} cd /var/mail
core:mail {108} ls -al *zk*
lrwxr-xr-x  1 zkhan  wheel  19 Dec  9 10:27 BOGUS.zkhan.gZJ -> /home/zkhan/Mailbox
-rw-------  1 zkhan  zkhan   0 Dec  9 10:34 zkhan
core:mail {109}

/Sean/

Current thread:

Suspicious files in Solaris (fwd) Dave Dittrich (May 10)
- Re: Suspicious files in Solaris (fwd) Robert van der Meulen (May 15)
- Re: Suspicious files in Solaris (fwd) Sean Sosik-Hamor (May 15)
- Korea a classic ? was: IP blacklist Jens Hektor (May 15)
- Re: Suspicious files in Solaris (fwd) Michael H. Warfield (May 15)