Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 28 Jul 1997 08:30:48 -1000 (HST)
From:      "David Langford" <langfod@dihelix.com>
To:        vince@mail.MCESTATE.COM (Vincent Poy)
Cc:        security@FreeBSD.ORG, mario1@PrimeNet.Com, johnnyu@accessus.net
Subject:   Re: security hole in FreeBSD
Message-ID:  <199707281830.IAA15209@caliban.dihelix.com>
In-Reply-To: <Pine.BSF.3.95.970728031228.3844A-100000@mail.MCESTATE.COM> from Vincent Poy at "Jul 28, 97 03:19:55 am"
next in thread | previous in thread | raw e-mail | index | archive | help 
I recently caught a breakin faily simaliar. 
The perp replace /bin/login with one that would let them login
to ANY account with a password of "lemmein". The login would NOT be logged
and so it was very difficult to tell what was going on.

My only guess is that they used the old suidperl hack to get root.
Supposedly this doesnt work on newer perl though.

My suggestion to you would be to get a clean source tree, recompile everything
and install tripwire.

-David Langford
 langfod@dihelix.com

>The symptoms are as follows:
>1) User on mercury machine complained about perl5 not working which was
>perl5.003 since libmalloc lib it was linked to was missing.
>2) I recompiled the perl5 port from the ports tree and it's perl5.00403
>and it works.
>3) User hacks earth when he doesn't even have a account on the machine
>and can login to the machine remotely as root when rlogin and telnet
>wouldn't allow it.  
>4) User is invisible in w, finger, who, users and can only be seen using
>ps -agux on a pty so I killed the process.
>5) User changes hostnames even in a netstat output so it's all garbage
>6) We went to inetd.conf and shut off all daemons except telnetd and 
>rebooted and user still can get onto the machine invisibly.
>7) User shuts down the machine and changes root password
>
>	Saw the user on irc posting the password of earth with the login
>name root.  Any ideas?
>
>
>Cheers,
>Vince - vince@MCESTATE.COM - vince@GAIANET.NET           ________   __ ____ 
>Unix Networking Operations - FreeBSD-Real Unix for Free / / / / |  / |[__  ]
>GaiaNet Corporation - M & C Estate                     / / / /  | /  | __] ]  
>Beverly Hills, California USA 90210                   / / / / / |/ / | __] ]
>HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
>
>
>
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199707281830.IAA15209>