Re: /var/mail BOGUS files

From: Bill Marcum (bmarcum_at_iglou.com.urgent)
Date: 08/17/04

  • Next message: Jim Bo: "File Descriptors" 
    Date: Tue, 17 Aug 2004 00:48:28 -0400

    On Mon, 16 Aug 2004 17:22:48 GMT, Administrateur de systemes
      <sysadmin@DMS.UMontreal.CA> wrote:
    > Hi all Linux gurus !
    >
    >
    > I have on my email server a series of BOGUS files .
    > It's a solaris 9 box with sendmail 8.10.12
    > My mailboxes ( /var/mail ) is mounted on all clients redhat
    > for beeing used for pine elm etc ...
    > here are the kinda of Bogus files
    >
    > [1318][root@leonard:/]
    > > cd /var/mail
    >
    > [1319][root@leonard:/var/mail]
    > > ls -lrt
    >
    > .....
    >
    > -r-------- 1 nobody nobody 1 Aug 16 13:14 BOGUS.root.tC
    > -r-------- 1 nobody nobody 1 Aug 16 13:14 BOGUS.root.E
    > -r-------- 1 nobody nobody 1 Aug 16 13:14 BOGUS.root.D
    > -r-------- 1 nobody nobody 1 Aug 16 13:14 BOGUS.root.qG
    > -r-------- 1 nobody nobody 1 Aug 16 13:14 BOGUS.root.eG
    > -r-------- 1 nobody nobody 1 Aug 16 13:14 BOGUS.root.ZG
    > -r-------- 1 nobody nobody 1 Aug 16 13:14 BOGUS.root.8F
    >
    >
    > Where those come from ??? Procmail ? nfs ? clients like pine or dtmail ?
    > I don't know where to start looking from ...
    >
    I'm not sure, but if /var/mail is mounted on several hosts, you may need
    to find which one has been r00ted. You might start by looking in the
    log files to see what happened and who was logged on at 13:14 on August
    16.
    Why not just use a pop/imap server for email? 

    -- 
   Liberals don't believe they deserve anything they own; conservatives think   
   they're entitled to everything they've stolen.
  • Next message: Jim Bo: "File Descriptors"