Date: Mon, 8 Nov 1999 13:30:40 -0500 (EST) From: David Gilbert <dgilbert@velocet.ca> To: freebsd-security@freebsd.org Subject: A new 'sploit? Message-ID: <14375.5840.975982.927941@trooper.velocet.net>
next in thread | raw e-mail | index | archive | help
On one of our client's servers, we found a directory structure full of
alternating <CR>Your public key (512-bit) goes here<CR> and
capital-A-repeated directory names. I assume the script kiddie should
have replaced all the capital-A's with their public key. Inside these
directories 'find.core' was linked to /root/.ssh/authorized_keys
Now... since my authorized_keys file is not overwritten, I gather that
root processes don't drop core any longer? Maybe I have corefiles
ulimited to 0. Anyways...
I'm still stuck with trying to remove this giant block of
directories. Bash won't allow me to cd into them, but if I cd into
them with sh, I can get all the way to the end. Once I'm in that last
directory, if I try to run any command (any non-internal command), I
get:
[1:\#:\!]\u@eve:\w> pwd | wc
wc: argument list too long
[1:\#:\!]\u@eve:\w> pwd >/tmp/foo
[1:\#:\!]\u@eve:\w> wc /tmp/foo
wc: argument list too long
[1:\#:\!]\u@eve:\w> echo *
find.core
[1:\#:\!]\u@eve:\w> rm fine.core
rm: argument list too long
FYI (I'm not going to include the whole file):
[1:19:319]root@eve:/usr/local/bin> wc /tmp/foo
601 2701 87914 /tmp/foo
[1:20:320]root@eve:/usr/local/bin> head /tmp/foo
/u/adam/10622/
YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!
/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!
/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!
/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!
/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!
Dave.
--
============================================================================
|David Gilbert, Velocet Communications. | Two things can only be |
|Mail: dgilbert@velocet.net | equal if and only if they |
|http://www.velocet.net/~dgilbert | are precisely opposite. |
=========================================================GLO================
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14375.5840.975982.927941>