From owner-freebsd-security Mon Dec 9 21:22:11 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id VAA12397 for security-outgoing; Mon, 9 Dec 1996 21:22:11 -0800 (PST) Received: from ican.net (ican.net [198.133.36.9]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id VAA12382 for ; Mon, 9 Dec 1996 21:22:07 -0800 (PST) Received: from gate.ican.net(really [198.133.36.2]) by ican.net via sendmail with esmtp id for ; Tue, 10 Dec 1996 00:22:06 -0500 (EST) (Smail-3.2 1996-Jul-4 #1 built 1996-Jul-10) Received: (from smap@localhost) by gate.ican.net (8.7.5/8.7.3) id AAA20343 for ; Tue, 10 Dec 1996 00:18:51 -0500 (EST) Received: from nap.io.org(10.1.1.3) by gate.ican.net via smap (V1.3) id sma020341; Tue Dec 10 00:18:46 1996 Received: from localhost (taob@localhost) by nap.io.org (8.7.5/8.7.3) with SMTP id AAA01667 for ; Tue, 10 Dec 1996 00:15:52 -0500 (EST) X-Authentication-Warning: nap.io.org: taob owned process doing -bs Date: Tue, 10 Dec 1996 00:15:52 -0500 (EST) From: Brian Tao To: FREEBSD-SECURITY-L Subject: URGENT: Packet sniffer found on my system Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I happened across an interesting little process today on a few of ous servers. It appears to be the "sniffit" packet sniffer found in the Linux RootKit. I can mail the binary to anyone who wants to analyse it. What it does is use bpf to log every connection between a pair of hosts and save all the good parts to a series of files. The guy running the sniffer logged well over 17000 connections today and god knows how many username/password combinations. He was watching the FTP and POP3 ports, mainly. I'd like to know how he was able to run the process as root. The binary is *not* setuid, and a "ps auxo ruser" shows the real owner is also root. The three servers I found it running on have 2.2-961014 installed, upgraded to sendmail 8.8.3. The two shell servers have had all but six setuid root binaries chmod 500'd. The Web/FTP server does not grant shell access. Is there something with Apache 1.1.1 or wu-ftpd I don't know about that allows a user to execute arbitrary code as root? I noticed lpr still had its setuid bit on the FTP server, but afaik, there is no way to tell wu-ftpd to run arbitrary programs as root. We are running wu-ftpd 2.4(1). Any ideas how root access was available so easily? -- Brian Tao (BT300, taob@io.org, taob@ican.net) Senior Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't"