Security Incidents mailing list archives

Re: Suspicious files in Solaris (fwd)

From: rvdm () CISTRON NL (Robert van der Meulen)
Date: Mon, 15 May 2000 12:12:07 +0200


Quoting Dave Dittrich (dittrich () CAC WASHINGTON EDU):

Anybody know what these files could be from?

<snip>
Yep.

-rw-------   1 nobody          0 Apr 23 04:22 BOGUS.root.e
-rw-------   1 nobody          0 May  1 08:59 BOGUS.root.h

From the procmail manpage:

If  /var/spool/mail/$LOGNAME is a bogus mailbox (i.e. does
not belong to the recipient, is unwritable, is a  symbolic
link or is a hard link), procmail will upon startup try to
rename it into a file starting with `BOGUS.$LOGNAME.'  and
ending in an inode-sequence-code.  If this turns out to be
impossible, ORGMAIL will have no initial value, and  hence
will inhibit delivery without a proper rcfile.

All of the mailboxes remain intact, and so far we have not seen any other
evidence of strange activity.  Any ideas as to the possible source of
these files?  Part of a root compromise attempt (or in progress)?


Nope, just a procmail problem ;) - i had some of those files on a system of
mine too.

Greets,
        Robert

--

|      rvdm () cistron nl - Cistron Internet Services - www.cistron.nl        |
|          php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security             |
|         My statements are mine, and not necessarily cistron's.           |

Current thread:

Suspicious files in Solaris (fwd) Dave Dittrich (May 10)
- Re: Suspicious files in Solaris (fwd) Robert van der Meulen (May 15)
- Re: Suspicious files in Solaris (fwd) Sean Sosik-Hamor (May 15)
- Korea a classic ? was: IP blacklist Jens Hektor (May 15)
- Re: Suspicious files in Solaris (fwd) Michael H. Warfield (May 15)