Date: Tue, 25 Jun 1996 13:31:04 -0700 (PDT) From: -Vince- <vince@mercury.gaianet.net> To: Arlen Fletcher <fletcher@paccar.com> Cc: security@freebsd.org, jbhunt <jbhunt@mercury.gaianet.net>, Chad Shackley <chad@mercury.gaianet.net> Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <Pine.BSF.3.91.960625132911.25073H-100000@mercury.gaianet.net> In-Reply-To: <199606251653.JAA09261@mugwump.paccar.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 25 Jun 1996, Arlen Fletcher wrote: > At 08:43 AM 6/25/96 -0700, you wrote: > >On Tue, 25 Jun 1996, Michael Smith wrote: > > > [snip] > > >Ok, this is jb. First off all this copied from here to their as root > >didn't happen. I gave this fella an account knowing more than likely if > >we had a hole he would find it. Unfortunately I wasn't watching his tty > >when he actually used whatever exploit he used. He obviously used a > >setuid exploit so I suggest that there is a New exploit out abusing a > >setuid program somewhere on the system because I know vince fixed the > >mount_union and current fixed the old ypwhich hack. Or actually maybe not > >so old for some of you, but either way I did have to give him an account > >before he could do anything. However, once inside it took him 2 minutes > >and he was root. I know for a fact it was his FIRST look inside the > > > Did you by any chance check the history file? I presume he vaporized it, > but you never know.... I did but he didn't have a history file.. > Of course it's 20/20 hindsight, but copying the history file somewhere > else when you see a user doing something bizarre (like becomming root) > might be worth thinking about in the future. Yeah, I always check the history file... Vince
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960625132911.25073H-100000>