Date: Mon, 28 Jul 1997 03:19:55 -0700 (PDT) From: Vincent Poy <vince@mail.MCESTATE.COM> To: security@FreeBSD.ORG Cc: "[Mario1-]" <mario1@PrimeNet.Com>, JbHunt <johnnyu@accessus.net> Subject: security hole in FreeBSD Message-ID: <Pine.BSF.3.95.970728031228.3844A-100000@mail.MCESTATE.COM>
next in thread | raw e-mail | index | archive | help
Greetings, We're had a hacker on two of our FreeBSD -current machines who hacked the machine as root. The symptoms are as follows: 1) User on mercury machine complained about perl5 not working which was perl5.003 since libmalloc lib it was linked to was missing. 2) I recompiled the perl5 port from the ports tree and it's perl5.00403 and it works. 3) User hacks earth when he doesn't even have a account on the machine and can login to the machine remotely as root when rlogin and telnet wouldn't allow it. 4) User is invisible in w, finger, who, users and can only be seen using ps -agux on a pty so I killed the process. 5) User changes hostnames even in a netstat output so it's all garbage 6) We went to inetd.conf and shut off all daemons except telnetd and rebooted and user still can get onto the machine invisibly. 7) User shuts down the machine and changes root password Saw the user on irc posting the password of earth with the login name root. Any ideas? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970728031228.3844A-100000>