Date: Fri, 12 Jul 1996 11:50:57 -0700 (PDT) From: -Vince- <vince@mercury.gaianet.net> To: jbhunt <jbhunt@mercury.gaianet.net> Cc: root@mercury.gaianet.net, freebsd-security-notification@freebsd.org, freebsd-security@freebsd.org, first-teams@first.org Subject: Re: ROOT COMPROMISE Message-ID: <Pine.BSF.3.91.960712114404.2779A-100000@mercury.gaianet.net> In-Reply-To: <Pine.BSF.3.91.960712111508.2906A-300000@mercury.gaianet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 12 Jul 1996, jbhunt wrote: > Ok, I tracked down the offending account Vince. The account soulz has 2 > setuid root shells in it at this moment. Fortunately for us this time > this offender wasn't as smart as the last one and left us a trail. > Included in this email are both of his history files the .historysoulz > file is the one he used to gain root the historysoulz file is what he did > after he got root. It seems that he telneted to io.com and downloaded a > file called bsdiex. Then ran the file and it made a setuid shell called > .irc. He seems to have been trying many different things to gain root > such as dip and the other things. After the bsdiex file he compiled a > file called real.c. I tracked that down on the system it is in the usr > dir. So there may be something that ties them together. I have since > called Ken Jackson,System's Manager, at io.com and he is going to help as > much as he can. He is currently looking for the bsdiex file on his system. > I have suspended the account. However it looks as tho he made 1 account > while he was root and I am not sure exactly what it is. So Vince we may > need to take some action on this. Give me your thoughts on what we might > do. I would also appreciate some help on this from the freebsd guys. A > few weeks ago when I posted saying there was a NEW exploit for freebsd > nobody seemed to believe me however it seems there truely IS something > new out here. Please give me your thoughts and ideas after looking at the > files. Just finished looking at the logs and that was the reason /etc/master.passwd was missing. Thanks to Aaron Gifford for his remaster.pl script to regenerate the masster.passwd file from spwd.db or else we wouldn't be able to disable his account or do anything that even touches the user database. I suggest we begin to really search the system to look for further security holes since there may be others with something similar on the system.... We should have suspected it was soulz for a long time since even back in May, someone has been like deleting chad, you and me fronm the root .forward file and adding soulz to it... Cheers, -Vince- vince@mercury.gaianet.net - http://www.gaianet.net UCSF Dept of Medicine - Magnetic Resonance Imaging Clinical Lab Researcher GaiaNet Corporation - Unix Systems Operations - Beverly Hills, California USA Astronomy - Physics - Electrical Engineering - Computer Science - Medicine
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960712114404.2779A-100000>