On Wednesday 23 April 2003 15:54, Anders Johansson wrote:
On Wednesday 23 April 2003 22:42, Thomas Jones wrote:
Looks like a sendmail installation.
heh
The /var/spool/mqueue directory is part of Base Operating System (BOS) Runtime.
Yeah? My copy of the OS/400 V4R3 manual leaves that directory undefined.
Check that this directory is mode 0x700 and UID is 0; as well as the GID 0. This is the default permission configuration of sendmail. Find it out via the -n switch of the ls command(for numeric format).
Also, check that this is indeed the queue directory as defined by "Q" in the sendmail.cf configuration file.
What if it isn't? Send the hacker to a sendmail configuration seminar?
If it isn't the ame directory, then the configuration file has been altered. If accounting has been activated, then Matt should be able to find out who altered it and at what time. Not very many of todays distribution installations, activate "acct" by default though.
If this happened to be "hacker" of sorts, he must have altered various system files.
i.e. a hacked-up /dev/null
Otherwise, he would not be able to remotely login. /dev/null doesn't return very many prompts to a tty. ;)
That's right, if he logs in as root he cannot create another user account with /dev/null as $HOME because then he wouldn't be able to log in as root again.
$HOME should be the /var/spool/mqueue. I am assuming that it in fact does
exist. And is a valid directory structure. Interesting scenario though.
It may behoove him to research into inode(4). Thes following structures may be
of some help.
Thomas Jones Linux-Howtos Administrator
Hmmmm
-- Thomas Jones Linux-Howtos Administrator