Security Incidents mailing list archives
Suspicious files in Solaris (fwd)
From: dittrich () CAC WASHINGTON EDU (Dave Dittrich)
Date: Wed, 10 May 2000 18:55:08 -0700
Anybody know what these files could be from? -- Dave Dittrich Computing & Communications dittrich () cac washington edu Client Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ---------- Forwarded message ---------- Date: Wed, 10 May 2000 10:36:38 -0700 (PDT) Subject: Suspicious files in Solaris The main [Solaris] server has been discovered to hold the following files in /var/mail (Our inbox spool): -rw------- 1 nobody 0 Apr 23 04:22 BOGUS.root.e -rw------- 1 nobody 0 May 1 08:59 BOGUS.root.h All of the mailboxes remain intact, and so far we have not seen any other evidence of strange activity. Any ideas as to the possible source of these files? Part of a root compromise attempt (or in progress)? Checks of the message and other logs have not yeilded anything particularly out of the ordinary. Most curiously, though, we have not received any wrapper logs indicating refused connections since May 2. Perhaps this is just a lull, but perhaps not. . . .
Current thread:
- Suspicious files in Solaris (fwd) Dave Dittrich (May 10)
- Re: Suspicious files in Solaris (fwd) Robert van der Meulen (May 15)
- Re: Suspicious files in Solaris (fwd) Sean Sosik-Hamor (May 15)
- Korea a classic ? was: IP blacklist Jens Hektor (May 15)
- Re: Suspicious files in Solaris (fwd) Michael H. Warfield (May 15)