From owner-freebsd-stable  Fri Jul 20 11:58: 8 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from snafu.adept.org (snafu.adept.org [63.201.63.44])
	by hub.freebsd.org (Postfix) with ESMTP id 6F7CA37B401
	for <freebsd-stable@FreeBSD.ORG>; Fri, 20 Jul 2001 11:58:06 -0700 (PDT)
	(envelope-from mike@adept.org)
Received: by snafu.adept.org (Postfix, from userid 1000)
	id 87FD89EE06; Fri, 20 Jul 2001 11:57:51 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by snafu.adept.org (Postfix) with ESMTP
	id 7FEE79B00C; Fri, 20 Jul 2001 11:57:51 -0700 (PDT)
Date: Fri, 20 Jul 2001 11:57:51 -0700 (PDT)
From: Mike Hoskins <mike@adept.org>
To: Tom <tom@uniserve.com>
Cc: "Chad R. Larson" <chad@DCFinc.com>, admin@kremilek.gyrec.cz,
	freebsd-stable@FreeBSD.ORG
Subject: Re: probably remote exploit
In-Reply-To: <Pine.BSF.4.10.10107201124410.70379-100000@athena.uniserve.ca>
Message-ID: <Pine.BSF.4.21.0107201151110.17247-100000@snafu.adept.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

On Fri, 20 Jul 2001, Tom wrote:

>   But if a backdoor is installed, you can't trust cvsup, or make either.
> Any binary could have been tampered with.  For instance, I would make a
> backdoor make that would detect that an installworld is underway, and
> always make sure that a backdoored copy of of "login" and another copy of
> "make".

What?  Everyone can't just do a quick check against the saved tripwire
checksums on CD-R?  ;)  Seriously.  While checksuming an entire system can
be impractical, keeping checksums for a barebones set of administrative
tools can be a lifesaver.

I'd be curious to know if a quick search for "..." and other attempts at
hiding directories turned up anything.  Honeypots I've played with show an
affinity to "..." for hiding cracker tools.  Not too sure why, it's easily
visible.

Also, per his original post - if they obtained root access via a exploit,
they would not have to guess the users 8-character password.  Once root,
they could set the password to anything they want and/or bruteforce the
encrypted string in master.passwd.

Later,
-Mike

--
 2^n eyes are better than 2.  Join the logwatchers community today.
 http://www.adept.org/mailinglists.html#logwatchers


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message