From owner-freebsd-security Mon Jun 24 15:00:27 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA09441 for security-outgoing; Mon, 24 Jun 1996 15:00:27 -0700 (PDT) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA09429; Mon, 24 Jun 1996 15:00:19 -0700 (PDT) Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.7.5/8.6.9) with ESMTP id OAA13542; Mon, 24 Jun 1996 14:58:47 -0700 (PDT) cc: Veggy Vinny , Mark Murray , Wilko Bulte , guido@gvr.win.tue.nl, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Mon, 24 Jun 1996 22:43:36 +0200." <199606242043.WAA06435@grumble.grondar.za> Date: Mon, 24 Jun 1996 14:58:47 -0700 Message-ID: <13540.835653527@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk If it's setuid root then this whole conversation is somewhat pointless, no? It's like saying "Somebody can break into my house!" and then having it pointed out that this isn't all that unusual given that the perpetrator has a full set of your housekeys and that your wife has been having an affair with him for months anyway and lets him in after you leave for work in the morning. :-) Jordan repl: bad addresses: Mark Murray -- no sub-domain in domain-part of address (@) > Veggy Vinny wrote: > > > With a setuid bit? > > > > Not too sure... > > ls -al will tell you this. Come on :-) > > > > Does ktrace(1) give any clues? > > > > Nope... :-( > > > > > What do you get from strings(1)? (Long shot..) > > > > -rwsr-xr-x 1 root users 278528 Jun 18 04:01 root is from the dir > ^ > | This is a setuid prog. The program is owned by root, and is > SETUID, therefore it will run as if it were root. It is > probably a shell (bash, sh, csh) renamed to root and setuid. > "chmod 755 root" will cut it down to size. > > > listing. as for strings... it's really long... > > Try me. Cut out the rubbish and the library crap. > > > > What other exploration have you done? > > > > Not much really..... I do remember seeing someone like hack root > > using ypwhich and it worked too.... that was on 2.1R... -current seemed > > to fix it... > > M > -- > Mark Murray > 46 Harvey Rd, Claremont, Cape Town 7700, South Africa > +27 21 61-3768 GMT+0200 > Finger mark@grondar.za for PGP key