Date: Mon, 24 Jun 1996 16:39:39 -0700 (PDT) From: -Vince- <vince@mercury.gaianet.net> To: Mark Murray <mark%grumble.grondar.za.@grondar.za> Cc: Mark Murray <mark@grumble.grondar.za>, Wilko Bulte <wilko@yedi.iaf.nl>, "Jordan K. Hubbard" <jkh@time.cdrom.com>, guido@gvr.win.tue.nl, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org, jbhunt <jbhunt@mercury.gaianet.net>, Chad Shackley <chad@mercury.gaianet.net> Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <Pine.BSF.3.91.960624163713.21697F-100000@mercury.gaianet.net> In-Reply-To: <199606242043.WAA06435@grumble.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 24 Jun 1996, Mark Murray wrote: > Veggy Vinny wrote: > > > With a setuid bit? > > > > Not too sure... > > ls -al will tell you this. Come on :-) Hmmm, okay :-) > > > Does ktrace(1) give any clues? > > > > Nope... :-( > > > > > What do you get from strings(1)? (Long shot..) > > > > -rwsr-xr-x 1 root users 278528 Jun 18 04:01 root is from the dir > ^ > | This is a setuid prog. The program is owned by root, and is > SETUID, therefore it will run as if it were root. It is > probably a shell (bash, sh, csh) renamed to root and setuid. > "chmod 755 root" will cut it down to size. it does seem like sh or bash... > > listing. as for strings... it's really long... > > Try me. Cut out the rubbish and the library crap. Well, it's actually easier to mail you the binary... > > > What other exploration have you done? > > > > Not much really..... I do remember seeing someone like hack root > > using ypwhich and it worked too.... that was on 2.1R... -current seemed > > to fix it... Vince System Adminstration/GaiaNet Corporation
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960624163713.21697F-100000>