From owner-freebsd-security Mon Jul 15 01:28:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA15246 for security-outgoing; Mon, 15 Jul 1996 01:28:43 -0700 (PDT) Received: from critter.tfs.com ([140.145.230.177]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA15228; Mon, 15 Jul 1996 01:28:35 -0700 (PDT) Received: from critter.tfs.com (localhost [127.0.0.1]) by critter.tfs.com (8.7.5/8.7.3) with ESMTP id KAA05003; Mon, 15 Jul 1996 10:28:03 +0200 (MET DST) To: -Vince- cc: jbhunt , freebsd-security-notification@freebsd.org, freebsd-security@freebsd.org, root@mercury.gaianet.net Subject: Re: New EXPLOIT located! In-reply-to: Your message of "Mon, 15 Jul 1996 00:49:10 PDT." Date: Mon, 15 Jul 1996 10:28:02 +0200 Message-ID: <5001.837419282@critter.tfs.com> From: Poul-Henning Kamp Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message , -Vinc e- writes: >On Mon, 15 Jul 1996, Poul-Henning Kamp wrote: > >> >> remove the rdist program from your system, or just remove the setuid >> >> bit from it. >> >> >> >> Do normal "we've been hacked cleanup". >> > >> > While we're at the subject, is there a hole with mount_msdos also >> >because the guy had some text on mount_msdos but I deleted the >> >/sbin/mount_msdos and -current still installs with the setuid bit... >> >> Well, until proven innocent, all setuid programs are suspect. >> >> Make a list of them all, remove setuid on any you don't use. Consider >> carefully the minimum permissions you can get away with on the rest. > > Okay, now besides the /sbin directory, what other binaries are >setuid that are installed by -current? it sounds like you need to scan your ENTIRE system for them by now :-( -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@ref.tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so.