Date: Tue, 25 Jun 1996 18:13:06 +0200 From: Mark Murray <mark@grumble.grondar.za.@grondar.za> To: jbhunt <jbhunt@mercury.gaianet.net> Cc: Michael Smith <msmith@atrad.adelaide.edu.au>, -Vince- <vince@mercury.gaianet.net>, mark@grondar.za, security@FreeBSD.ORG, chad@mercury.gaianet.net Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <199606251613.SAA10099@grumble.grondar.za>
next in thread | raw e-mail | index | archive | help
[hackers removed from cc: - the crosspost is getting a bit much there] jbhunt wrote: > Ok, this is jb. First off all this copied from here to their as root > didn't happen. I gave this fella an account knowing more than likely if > we had a hole he would find it. Unfortunately I wasn't watching his tty > when he actually used whatever exploit he used. Ok... > He obviously used a > setuid exploit so I suggest that there is a New exploit out abusing a > setuid program somewhere on the system because I know vince fixed the > mount_union and current fixed the old ypwhich hack. Not so fast. You didn't see what he did, but you are claiming suid. maybe, maybe not. You don't _know_. > Or actually maybe not > so old for some of you, but either way I did have to give him an account > before he could do anything. However, once inside it took him 2 minutes > and he was root. I know for a fact it was his FIRST look inside the > system and I ran no scripts from his dir. How do you know? If "." is in your path, you run a script from wherever you are - /tmp, /var/tmp, /var/mail if you have made that world writable etc. What other world writable directories do you have? what runs out of cron? What is automatically executed when you run emacs? vi? what is your EDITOR setting for vipw? Do you read your daily security report? Create a new suid file and see if it is reoported the next day. > That option is out so don't > bother. I did start watching his tty after he took root but it was too > late. I am open to any suggestions any of you have so far this seems to > be a very constructive group :> The most constructive suggestion at the moment is to look for your own mistakes, and be more open to them. So far it seems you (collectively) have made lots, but aren't admitting this - even to yourselves. Ask him what he did - maybe he'll even tell you? :-) If it is a FreeBSD security hole, We'll all thank him and you for finding it :-). M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606251613.SAA10099>