From owner-freebsd-security Mon Jun 24 16:51:45 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA24450 for security-outgoing; Mon, 24 Jun 1996 16:51:45 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA24430; Mon, 24 Jun 1996 16:51:39 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id QAA18004; Mon, 24 Jun 1996 16:51:19 -0700 (PDT) Date: Mon, 24 Jun 1996 16:51:19 -0700 (PDT) From: -Vince- To: "Jordan K. Hubbard" cc: Mark Murray , Wilko Bulte , guido@gvr.win.tue.nl, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <13540.835653527@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 24 Jun 1996, Jordan K. Hubbard wrote: > If it's setuid root then this whole conversation is somewhat pointless, > no? It's like saying "Somebody can break into my house!" and then > having it pointed out that this isn't all that unusual given that the > perpetrator has a full set of your housekeys and that your wife has been > having an affair with him for months anyway and lets him in after you > leave for work in the morning. :-) Good one Jordan :-) But the thing is how did he get that binary there in the first place since if he can do that here, then he can do that on any machine that he doesn't have group wheel on to gain root access... I'll let John comment on this one :-) Vince System Administration - GaiaNet Corporation > repl: bad addresses: > Mark Murray -- no sub-domain in domain-part of address (@) > > Veggy Vinny wrote: > > > > With a setuid bit? > > > > > > Not too sure... > > > > ls -al will tell you this. Come on :-) > > > > > > Does ktrace(1) give any clues? > > > > > > Nope... :-( > > > > > > > What do you get from strings(1)? (Long shot..) > > > > > > -rwsr-xr-x 1 root users 278528 Jun 18 04:01 root is from the dir > > ^ > > | This is a setuid prog. The program is owned by root, and is > > SETUID, therefore it will run as if it were root. It is > > probably a shell (bash, sh, csh) renamed to root and setuid. > > "chmod 755 root" will cut it down to size. > > > > > listing. as for strings... it's really long... > > > > Try me. Cut out the rubbish and the library crap. > > > > > > What other exploration have you done? > > > > > > Not much really..... I do remember seeing someone like hack root > > > using ypwhich and it worked too.... that was on 2.1R... -current seemed > > > to fix it... > > > > M > > -- > > Mark Murray > > 46 Harvey Rd, Claremont, Cape Town 7700, South Africa > > +27 21 61-3768 GMT+0200 > > Finger mark@grondar.za for PGP key > >