I asked: > This is a wierd one, so I am putting this out to see if anyone else has > any ideas. > > This is a Solaris 2.5.1 machine. We have a monitoring script that mails > root when a certain string is found in /var/adm/messages. The program that > mails root is /usr/ucb/mail, which is a symlink to /usr/bin/mailx. > > The mail message sets the subject with the -s flag, but has no body. So > it should be a null message. However, with the manually set Subject line > (which has the info that we need) it is also including in the body of the > message the contents of what appears to be the console, which includes > passwords from people logging in! > > Since this is an old machine, I do not have a 2.5.1 version of perl so I > cannot run patchk.pl to see if the patches are up to date. > > My guess is that this is a bug with mailx on a 2.5.1 machine, but I am not > sure. Has anyone else seen this sort of problem? The answer: While no one has seen the exact problem I have, several people responded back and offered suggestions. Thank you. Since my tripwire database explicitly lists /usr/bin/mailx, and the binary is the same size and has the same checksum on the few 2.5.1 boxes I still have, I do not think I have been broken into. Several people responded that patchk.pl can be told to use a separate showrev -p, pkginfo -l, uname, etc., so I was able to check its installed packages on another machine. (There is no mailx patch for 2.5.1, btw) I ended up explicitly specifying a body to the message, and I will see if that works. Several people mentioned specifying a body to the message; either /dev/null or some nonsense text. I will now wait a while and see if the problem occurs again. Thanks to: Andy Bach <root@wiwb.uscourts.gov> "Sylvain" <smarques@atosorigin.com> "Pat Winn" <pat.winn@velocibyte.com> Chaos Golubitsky <chaos@glassonion.org> John D Groenveld <jdg117@elvis.arl.psu.edu> "Dave Landsiedel" <Dave_Landsiedel@bobcat.com> Mark McManus <mmcmanus@houston.geoquest.slb.com> +-----------------------------------------------------------------------+ | Christopher L. Barnard O When I was a boy I was told that | | cbarnard@tsg.cbot.com / \ anybody could become president. | | (312) 347-4901 O---O Now I'm beginning to believe it. | | http://www.cs.uchicago.edu/~cbarnard --Clarence Darrow | +----------PGP public key available via finger or PGP keyserver---------+Received on Thu Aug 9 21:58:21 2001
This archive was generated by hypermail 2.1.8 : Wed Mar 23 2016 - 16:25:01 EDT