From owner-freebsd-security Mon Jul 15 00:35:40 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA10853 for security-outgoing; Mon, 15 Jul 1996 00:35:40 -0700 (PDT) Received: from critter.tfs.com ([140.145.230.177]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA10843; Mon, 15 Jul 1996 00:35:35 -0700 (PDT) Received: from critter.tfs.com (localhost [127.0.0.1]) by critter.tfs.com (8.7.5/8.7.3) with ESMTP id JAA04867; Mon, 15 Jul 1996 09:35:02 +0200 (MET DST) To: jbhunt cc: freebsd-security-notification@freebsd.org, freebsd-security@freebsd.org, root@mercury.gaianet.net Subject: Re: New EXPLOIT located! In-reply-to: Your message of "Sun, 14 Jul 1996 23:52:43 PDT." Date: Mon, 15 Jul 1996 09:35:01 +0200 Message-ID: <4865.837416101@critter.tfs.com> From: Poul-Henning Kamp Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Ok, for almost 3 weeks now we at Gaianet have been tracking root hackers >around our box. FINALLY, today at about 3 pm one of them made a BIG BIG >mistake. Fortunately, for us I was around to watch what happened and kill >the user before he was able to erase his history files and the exploit >itself. So here are the files necessary to fix whatever hole this >exploits. We run Freebsd Current so it obviously makes most freebsd >systems vulnerable to a root attack. I appreciate any help you can offer. OK, this is the rdist hole, it's already being worked in I think. remove the rdist program from your system, or just remove the setuid bit from it. Do normal "we've been hacked cleanup". -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so.