Security Incidents mailing list archives

Re: Suspicious files in Solaris (fwd)

From: mhw () WITTSEND COM (Michael H. Warfield)
Date: Mon, 15 May 2000 10:10:29 -0400


On Wed, May 10, 2000 at 06:55:08PM -0700, Dave Dittrich wrote:

Anybody know what these files could be from?


        I see this on some systems.  It's generally the mail system's
way of dealing with a mailbox conflict.  It's a feature of procmail.
I've seen it since starting to use procmail.  Basically, if it fails
to be able to write to the main mailbox for some reason (permissions,
locking, etc), it creates one of these files to save the mail traffic
to, instead of the main mailbox.

        From "man procmail":

]      If  /var/spool/mail/$LOGNAME is a bogus mailbox (i.e. does
]      not belong to the recipient, is unwritable, is a  symbolic
]      link or is a hard link), procmail will upon startup try to
]      rename it into a file starting with `BOGUS.$LOGNAME.'  and
]      ending in an inode-sequence-code.  If this turns out to be
]      impossible, ORGMAIL will have no initial value, and  hence
]      will inhibit delivery without a proper rcfile.

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             Client Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

---------- Forwarded message ----------
Date: Wed, 10 May 2000 10:36:38 -0700 (PDT)
Subject: Suspicious files in Solaris

The main [Solaris] server has been discovered to hold the following files
in /var/mail (Our inbox spool):

-rw-------   1 nobody          0 Apr 23 04:22 BOGUS.root.e
-rw-------   1 nobody          0 May  1 08:59 BOGUS.root.h

All of the mailboxes remain intact, and so far we have not seen any other
evidence of strange activity.  Any ideas as to the possible source of
these files?  Part of a root compromise attempt (or in progress)?

Checks of the message and other logs have not yeilded anything
particularly out of the ordinary.  Most curiously, though, we have not
received any wrapper logs indicating refused connections since May
2.  Perhaps this is just a lull, but perhaps not.

 . . .


        Mike

--
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

Current thread:

Suspicious files in Solaris (fwd) Dave Dittrich (May 10)
- Re: Suspicious files in Solaris (fwd) Robert van der Meulen (May 15)
- Re: Suspicious files in Solaris (fwd) Sean Sosik-Hamor (May 15)
- Korea a classic ? was: IP blacklist Jens Hektor (May 15)
- Re: Suspicious files in Solaris (fwd) Michael H. Warfield (May 15)