Security Incidents mailing list archives
Re: Suspicious files in Solaris (fwd)
From: rvdm () CISTRON NL (Robert van der Meulen)
Date: Mon, 15 May 2000 12:12:07 +0200
Quoting Dave Dittrich (dittrich () CAC WASHINGTON EDU):
Anybody know what these files could be from?
<snip> Yep.
-rw------- 1 nobody 0 Apr 23 04:22 BOGUS.root.e -rw------- 1 nobody 0 May 1 08:59 BOGUS.root.h
From the procmail manpage:
If /var/spool/mail/$LOGNAME is a bogus mailbox (i.e. does not belong to the recipient, is unwritable, is a symbolic link or is a hard link), procmail will upon startup try to rename it into a file starting with `BOGUS.$LOGNAME.' and ending in an inode-sequence-code. If this turns out to be impossible, ORGMAIL will have no initial value, and hence will inhibit delivery without a proper rcfile.
All of the mailboxes remain intact, and so far we have not seen any other evidence of strange activity. Any ideas as to the possible source of these files? Part of a root compromise attempt (or in progress)?
Nope, just a procmail problem ;) - i had some of those files on a system of mine too. Greets, Robert -- | rvdm () cistron nl - Cistron Internet Services - www.cistron.nl | | php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security | | My statements are mine, and not necessarily cistron's. |
Current thread:
- Suspicious files in Solaris (fwd) Dave Dittrich (May 10)
- Re: Suspicious files in Solaris (fwd) Robert van der Meulen (May 15)
- Re: Suspicious files in Solaris (fwd) Sean Sosik-Hamor (May 15)
- Korea a classic ? was: IP blacklist Jens Hektor (May 15)
- Re: Suspicious files in Solaris (fwd) Michael H. Warfield (May 15)