Re: [Exim] Have I been Hacked

Top Page
Delete this message
Reply to this message
Author: Vadim Vygonets
Date:  
To: exim-users
Subject: Re: [Exim] Have I been Hacked
Quoth Ed Zimmermann on Thu, Aug 17, 2000:
> There is a file in the /usr/exim/spool/msg directory that looks very
> strange.
> User/group are numbers, file size is wacked and the date in way in the
> future.


It's not a file size, it's a block device number.

> I can't view it or delete it.. I even tried booting into single user mode.
> There are the file details..
>
> b--xrw-rwt  1 1510633525  1668760147          1044,80,304 Apr  5  2005
> 13KxKN-0004xw-00


It seems like you have some sort of BSD system, right? The
explanation below will probably only be good for BSD. It also
seems like you had a crash (or power fail) lately, and you don't
have soft updates enabled.

You can remove the file by using clri(8). If you do "df
/usr/exim/spool/msg", you will get the filesystem (such as
/dev/wd0a). If you do "ls -li
/usr/exim/spool/msg13KxKN-0004xw-00", in first column you will
get the inode number of the file (such as 1234). Then do (as
root, in single user mode, before mounting the filesystem
read-write), substituting the correct values of disk device and
inode number:

# clri /dev/wd0a 1234
# fsck /dev/wd0a

Vadik.

-- 
Time is an illusion.  Lunchtime doubly so.
    -- Ford Prefect