Date: Mon, 15 Jul 1996 01:21:07 -0700 (PDT) From: -Vince- <vince@mercury.gaianet.net> To: Gary Palmer <gpalmer@freebsd.org> Cc: jbhunt <jbhunt@mercury.gaianet.net>, freebsd-security@freebsd.org, root@mercury.gaianet.net Subject: Re: New EXPLOIT located! Message-ID: <Pine.BSF.3.91.960715012012.1637F-100000@mercury.gaianet.net> In-Reply-To: <1232.837417960@orion.webspan.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 15 Jul 1996, Gary Palmer wrote:
> jbhunt wrote in message ID
> <Pine.BSF.3.91.960714212321.1806A-300000@mercury.gaianet.net>:
> > Ok, for almost 3 weeks now we at Gaianet have been tracking root hackers
> > around our box. FINALLY, today at about 3 pm one of them made a BIG BIG
> > mistake. Fortunately, for us I was around to watch what happened and kill
> > the user before he was able to erase his history files and the exploit
> > itself. So here are the files necessary to fix whatever hole this
> > exploits. We run Freebsd Current so it obviously makes most freebsd
> > systems vulnerable to a root attack. I appreciate any help you can offer.
>
> from the source supplied:
>
> --SNIP--
> execl("/usr/bin/rdist", "rdist", "-d", buff, "-d", buff, NULL);
> --SNIP--
>
> You *HAVE* applied the rdist patch(es), or better yet, DISABLED rdist
> totally, haven't you?
Only took out the setuid flag... Have the patches been applied to
the latest -current since I just recompiled rdist from the latest
-current sources...
Vince
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960715012012.1637F-100000>