Date: Mon, 24 Jun 1996 16:51:19 -0700 (PDT) From: -Vince- <vince@mercury.gaianet.net> To: "Jordan K. Hubbard" <jkh@time.cdrom.com> Cc: Mark Murray <mark@grumble.grondar.za>, Wilko Bulte <wilko@yedi.iaf.nl>, guido@gvr.win.tue.nl, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org, Chad Shackley <chad@mercury.gaianet.net>, jbhunt <jbhunt@mercury.gaianet.net> Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <Pine.BSF.3.91.960624164925.21697K-100000@mercury.gaianet.net> In-Reply-To: <13540.835653527@time.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 24 Jun 1996, Jordan K. Hubbard wrote: > If it's setuid root then this whole conversation is somewhat pointless, > no? It's like saying "Somebody can break into my house!" and then > having it pointed out that this isn't all that unusual given that the > perpetrator has a full set of your housekeys and that your wife has been > having an affair with him for months anyway and lets him in after you > leave for work in the morning. :-) Good one Jordan :-) But the thing is how did he get that binary there in the first place since if he can do that here, then he can do that on any machine that he doesn't have group wheel on to gain root access... I'll let John comment on this one :-) Vince System Administration - GaiaNet Corporation > repl: bad addresses: > Mark Murray <mark@grumble.grondar.za.@grondar.za> -- no sub-domain in domain-part of address (@) > > Veggy Vinny wrote: > > > > With a setuid bit? > > > > > > Not too sure... > > > > ls -al will tell you this. Come on :-) > > > > > > Does ktrace(1) give any clues? > > > > > > Nope... :-( > > > > > > > What do you get from strings(1)? (Long shot..) > > > > > > -rwsr-xr-x 1 root users 278528 Jun 18 04:01 root is from the dir > > ^ > > | This is a setuid prog. The program is owned by root, and is > > SETUID, therefore it will run as if it were root. It is > > probably a shell (bash, sh, csh) renamed to root and setuid. > > "chmod 755 root" will cut it down to size. > > > > > listing. as for strings... it's really long... > > > > Try me. Cut out the rubbish and the library crap. > > > > > > What other exploration have you done? > > > > > > Not much really..... I do remember seeing someone like hack root > > > using ypwhich and it worked too.... that was on 2.1R... -current seemed > > > to fix it... > > > > M > > -- > > Mark Murray > > 46 Harvey Rd, Claremont, Cape Town 7700, South Africa > > +27 21 61-3768 GMT+0200 > > Finger mark@grondar.za for PGP key > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960624164925.21697K-100000>