Security Incidents mailing list archives
Re: Suspicious files in Solaris (fwd)
From: mhw () WITTSEND COM (Michael H. Warfield)
Date: Mon, 15 May 2000 10:10:29 -0400
On Wed, May 10, 2000 at 06:55:08PM -0700, Dave Dittrich wrote:
Anybody know what these files could be from?
I see this on some systems. It's generally the mail system's way of dealing with a mailbox conflict. It's a feature of procmail. I've seen it since starting to use procmail. Basically, if it fails to be able to write to the main mailbox for some reason (permissions, locking, etc), it creates one of these files to save the mail traffic to, instead of the main mailbox. From "man procmail": ] If /var/spool/mail/$LOGNAME is a bogus mailbox (i.e. does ] not belong to the recipient, is unwritable, is a symbolic ] link or is a hard link), procmail will upon startup try to ] rename it into a file starting with `BOGUS.$LOGNAME.' and ] ending in an inode-sequence-code. If this turns out to be ] impossible, ORGMAIL will have no initial value, and hence ] will inhibit delivery without a proper rcfile.
-- Dave Dittrich Computing & Communications dittrich () cac washington edu Client Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ---------- Forwarded message ---------- Date: Wed, 10 May 2000 10:36:38 -0700 (PDT) Subject: Suspicious files in Solaris The main [Solaris] server has been discovered to hold the following files in /var/mail (Our inbox spool): -rw------- 1 nobody 0 Apr 23 04:22 BOGUS.root.e -rw------- 1 nobody 0 May 1 08:59 BOGUS.root.h All of the mailboxes remain intact, and so far we have not seen any other evidence of strange activity. Any ideas as to the possible source of these files? Part of a root compromise attempt (or in progress)? Checks of the message and other logs have not yeilded anything particularly out of the ordinary. Most curiously, though, we have not received any wrapper logs indicating refused connections since May 2. Perhaps this is just a lull, but perhaps not. . . .
Mike -- Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Current thread:
- Suspicious files in Solaris (fwd) Dave Dittrich (May 10)
- Re: Suspicious files in Solaris (fwd) Robert van der Meulen (May 15)
- Re: Suspicious files in Solaris (fwd) Sean Sosik-Hamor (May 15)
- Korea a classic ? was: IP blacklist Jens Hektor (May 15)
- Re: Suspicious files in Solaris (fwd) Michael H. Warfield (May 15)