From owner-freebsd-security Tue Jun 25 08:57:27 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA11276 for security-outgoing; Tue, 25 Jun 1996 08:57:27 -0700 (PDT) Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA10991; Tue, 25 Jun 1996 08:54:14 -0700 (PDT) Received: (from narvi@localhost) by haldjas.folklore.ee (8.6.12/8.6.12) id SAA04118; Tue, 25 Jun 1996 18:56:45 +0300 Date: Tue, 25 Jun 1996 18:56:44 +0300 (EET DST) From: Narvi To: "Eric J. Schwertfeger" cc: -Vince- , Mark Murray , hackers@FreeBSD.org, security@FreeBSD.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Eric J. Schwertfeger wrote: > > > On Tue, 25 Jun 1996, -Vince- wrote: > > > Yeah, you have a point but jbhunt was watching the user as he > > hacked root since he brought the file from his own machine.... so that > > wasn't something the admin was tricked into doing.. > > Then the important question is, how did he move the file so that it > retained the setuid bit? We're already pretty sure that the program is > only /bin/sh with the setuid bit turned on. So either he found a way to > move the file with the bit turned on, or he found a way to turn it on, > which reqires root access. How did he get the file there in the first place? Via ftp? Or did he just copy it over? Ftp seems to remove even the exec bit, let alone the setuid. Could there be a way of attack via a modified ftp server? Sander > >