Date: Mon, 24 Jun 1996 22:43:36 +0200 From: Mark Murray <mark@grumble.grondar.za.@grondar.za> To: Veggy Vinny <richardc@CSUA.Berkeley.EDU> Cc: Mark Murray <mark@grumble.grondar.za>, Wilko Bulte <wilko@yedi.iaf.nl>, "Jordan K. Hubbard" <jkh@time.cdrom.com>, guido@gvr.win.tue.nl, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <199606242043.WAA06435@grumble.grondar.za>
next in thread | raw e-mail | index | archive | help
Veggy Vinny wrote:
> > With a setuid bit?
>
> Not too sure...
ls -al will tell you this. Come on :-)
> > Does ktrace(1) give any clues?
>
> Nope... :-(
>
> > What do you get from strings(1)? (Long shot..)
>
> -rwsr-xr-x 1 root users 278528 Jun 18 04:01 root is from the dir
^
| This is a setuid prog. The program is owned by root, and is
SETUID, therefore it will run as if it were root. It is
probably a shell (bash, sh, csh) renamed to root and setuid.
"chmod 755 root" will cut it down to size.
> listing. as for strings... it's really long...
Try me. Cut out the rubbish and the library crap.
> > What other exploration have you done?
>
> Not much really..... I do remember seeing someone like hack root
> using ypwhich and it worked too.... that was on 2.1R... -current seemed
> to fix it...
M
--
Mark Murray
46 Harvey Rd, Claremont, Cape Town 7700, South Africa
+27 21 61-3768 GMT+0200
Finger mark@grondar.za for PGP key
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606242043.WAA06435>