From owner-freebsd-hackers Mon Jun 24 23:41:45 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA21380 for hackers-outgoing; Mon, 24 Jun 1996 23:41:45 -0700 (PDT) Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA21310; Mon, 24 Jun 1996 23:41:30 -0700 (PDT) Received: from grumble.grondar.za (mark@localhost.grondar.za [127.0.0.1]) by grumble.grondar.za (8.7.5/8.7.3) with ESMTP id IAA08093; Tue, 25 Jun 1996 08:39:37 +0200 (SAT) Message-Id: <199606250639.IAA08093@grumble.grondar.za> To: -Vince- cc: Mark Murray , hackers@FreeBSD.org, security@FreeBSD.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! Date: Tue, 25 Jun 1996 08:39:37 +0200 From: Mark Murray Sender: owner-hackers@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk -Vince- wrote: > > If you do not know the basics, like setuid, you are WIDE open for this > > kind of attack. > > Well, I know what a setuid is but didn't know it was called a setuid > since it has that s in the permissions... Also, on our machine, the wheel > group only has chad, jbhunt, vince and root and the only person who can > login to root directly is chad at the console, we all need to su. Ok... > > This shell could have been created two ways (That are currently in > > popular cracker use): > > > > 1) The cracker snooped your root password somehow, (digging through > > your desk/dustbin or by running a snooper somewhere), then created > > this suid shell for future use. > > This isn't possible since Gaianet isn't opened to the public for > people to snoop around. Physically, OK, but electronically? > > 2) The Cracker made a trojan script somewhere (usually exploiting > > some admins (roots) who have "." in their path). This way he creates > > a script that when run as root will make him a suid program. > > after this he has you by tender bits. > > Hmmm, doesn't everyone have . as their path since all . does is allow > someone to run stuff from the current directory... Not root! this leaves you wide open for trojans. As root you should have to type ./foo to run foo in the current directory. > > There are other ways, but these are the most popular. > > > > For much more info, I recommend "Practical Unix Security" from > > O'Reilly and Associates, (By Garfinkel?) > > I have that book but there are always ways no one knows about ;) Sure! :-) M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key