From owner-freebsd-security  Mon Jul 28 03:20:16 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id DAA22155
          for security-outgoing; Mon, 28 Jul 1997 03:20:16 -0700 (PDT)
Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id DAA22146
          for <security@FreeBSD.ORG>; Mon, 28 Jul 1997 03:20:08 -0700 (PDT)
Received: from localhost (vince@localhost)
	by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id DAA03869;
	Mon, 28 Jul 1997 03:19:55 -0700 (PDT)
Date: Mon, 28 Jul 1997 03:19:55 -0700 (PDT)
From: Vincent Poy <vince@mail.MCESTATE.COM>
To: security@FreeBSD.ORG
cc: "[Mario1-]" <mario1@PrimeNet.Com>, JbHunt <johnnyu@accessus.net>
Subject: security hole in FreeBSD
Message-ID: <Pine.BSF.3.95.970728031228.3844A-100000@mail.MCESTATE.COM>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Greetings,

	We're had a hacker on two of our FreeBSD -current machines who
hacked the machine as root.  

The symptoms are as follows:
1) User on mercury machine complained about perl5 not working which was
perl5.003 since libmalloc lib it was linked to was missing.
2) I recompiled the perl5 port from the ports tree and it's perl5.00403
and it works.
3) User hacks earth when he doesn't even have a account on the machine
and can login to the machine remotely as root when rlogin and telnet
wouldn't allow it.  
4) User is invisible in w, finger, who, users and can only be seen using
ps -agux on a pty so I killed the process.
5) User changes hostnames even in a netstat output so it's all garbage
6) We went to inetd.conf and shut off all daemons except telnetd and 
rebooted and user still can get onto the machine invisibly.
7) User shuts down the machine and changes root password

	Saw the user on irc posting the password of earth with the login
name root.  Any ideas?


Cheers,
Vince - vince@MCESTATE.COM - vince@GAIANET.NET           ________   __ ____ 
Unix Networking Operations - FreeBSD-Real Unix for Free / / / / |  / |[__  ]
GaiaNet Corporation - M & C Estate                     / / / /  | /  | __] ]  
Beverly Hills, California USA 90210                   / / / / / |/ / | __] ]
HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]