Date: Wed, 19 Nov 1997 23:50:45 +0100 (MET) From: Eivind Eklund <perhaps@yes.no> To: Randy Katz <randyk@ccsales.com> Cc: wu-ftpd@wugate.wustl.edu, hackers@FreeBSD.ORG Subject: Re: strange things...HELP!!! Message-ID: <199711192250.XAA27441@bitbox.follo.net> In-Reply-To: Randy Katz's message of Wed, 19 Nov 1997 11:20:39 -0800 (PST) References: <Pine.LNX.3.96.971119085547.20861C-100000@ns1.fni.com> <Pine.BSF.3.91.971119111532.26571A-100000@ccsales.ccsales.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Hello, > > I tried to find out how this hacker is doing it on an ISP list and they > said I was a hacker...HELP!!! > > The hacker ftp's into our server as a valid user (we will cancel him as > soon as we know how to keep him out). Hacker copies /etc/master.passwd to > his home directory. Hacker modified master.passwd. Hacker copies it back > to /etc/master.passwd. > > How is he doing this? I don't know, but if this is happening repeatedly I'd try using ktrace to find out what happens. It definitely sound like a wu-ftpd bug which happens before it drops privileges (or possibly a combination of a bug that happens after dropping privileges and a root exploit, e.g. the /proc exploit (fixed in -stable somewhat pre-2.2.5) or the open() problem (fixed in -stable a day or two post-2.2.5). Eivind.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199711192250.XAA27441>