Date: Mon, 24 Jun 1996 18:07:00 -0700 (PDT) From: -Vince- <vince@mercury.gaianet.net> To: Michael Smith <msmith@atrad.adelaide.edu.au> Cc: mark@grumble.grondar.za, wilko@yedi.iaf.nl, jkh@time.cdrom.com, guido@gvr.win.tue.nl, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org, jbhunt <jbhunt@mercury.gaianet.net>, Chad Shackley <chad@mercury.gaianet.net> Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <Pine.BSF.3.91.960624180129.21697T-100000@mercury.gaianet.net> In-Reply-To: <199606250125.KAA25110@genesis.atrad.adelaide.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 25 Jun 1996, Michael Smith wrote: > Mark Murray stands accused of saying: > > > > > > -rwsr-xr-x 1 root users 278528 Jun 18 04:01 root is from the dir > > ^ > > | This is a setuid prog. The program is owned by root, and is > > SETUID, therefore it will run as if it were root. It is > > probably a shell (bash, sh, csh) renamed to root and setuid. > > "chmod 755 root" will cut it down to size. > > lovely:~>ls -l /bin/sh > -r-xr-xr-x 1 bin bin 278528 Jun 19 20:34 /bin/sh > > The question is, of course, what a setuid-root copy of /bin/sh is doing > in this user's home directory. Have you fixed the 'modload' hole on this > system yet? Yeah, the modload hole was fixed a long time ago as well as the man hole... Getting /bin/sh with setuid-root is the really strange part.. Vince
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960624180129.21697T-100000>