Date: Fri, 12 Jul 1996 23:12:48 -0400 (EDT) From: jaeger <jaeger@dhp.com> To: vince@mercury.gaianet.net Cc: freebsd-security@freebsd.org Subject: Re: ROOT COMPROMISE Message-ID: <Pine.LNX.3.91.960712230445.10074A-100000@dhp.com> In-Reply-To: <Pine.BSF.3.91.960712114404.2779A-100000@mercury.gaianet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This has got to be some of the lamest cracking activity I've seen in a long time, and I'd thought I'd seen it all ;>. If this type of activity had been going on unnoticed (Modifying root's .forward?? Incidentally, you should probably use /etc/aliases for this..) then you could have been the target of someone with more skill and never ever noticed. I'd suggest some type of security audit immediately... The chmod'ing of "bsdiexp" 6777 suggests an exploitation of the recently discovered root hole in suidperl. It could also be a backdoor root shell; it isn't clear from the logs just what this is, exploit or backdoor. It's very refreshing to see actual cracking activity discussed. Excepting a few papers from years ago, Shimomura's excellent dissection of the Christmas '94 attack on his box, and a few recent bits and pieces, the white hats don't get to see much of the actual intruder activity that's going on. Please keep up the status reports :). -jaeger
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.91.960712230445.10074A-100000>