Security Incidents mailing list archives

Suspicious files in Solaris (fwd)

From: dittrich () CAC WASHINGTON EDU (Dave Dittrich)
Date: Wed, 10 May 2000 18:55:08 -0700


Anybody know what these files could be from?

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             Client Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

---------- Forwarded message ----------
Date: Wed, 10 May 2000 10:36:38 -0700 (PDT)
Subject: Suspicious files in Solaris

The main [Solaris] server has been discovered to hold the following files
in /var/mail (Our inbox spool):

-rw-------   1 nobody          0 Apr 23 04:22 BOGUS.root.e
-rw-------   1 nobody          0 May  1 08:59 BOGUS.root.h

All of the mailboxes remain intact, and so far we have not seen any other
evidence of strange activity.  Any ideas as to the possible source of
these files?  Part of a root compromise attempt (or in progress)?

Checks of the message and other logs have not yeilded anything
particularly out of the ordinary.  Most curiously, though, we have not
received any wrapper logs indicating refused connections since May
2.  Perhaps this is just a lull, but perhaps not.

 . . .

Current thread:

Suspicious files in Solaris (fwd) Dave Dittrich (May 10)
- Re: Suspicious files in Solaris (fwd) Robert van der Meulen (May 15)
- Re: Suspicious files in Solaris (fwd) Sean Sosik-Hamor (May 15)
- Korea a classic ? was: IP blacklist Jens Hektor (May 15)
- Re: Suspicious files in Solaris (fwd) Michael H. Warfield (May 15)