From owner-freebsd-security Tue Jul 29 00:14:58 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id AAA19228 for security-outgoing; Tue, 29 Jul 1997 00:14:58 -0700 (PDT) Received: from ns.cs.msu.su (laskavy@redsun.cs.msu.su [158.250.10.2]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id AAA19217 for ; Tue, 29 Jul 1997 00:14:50 -0700 (PDT) Received: (from laskavy@localhost) by ns.cs.msu.su (8.8.6/8.6.12) id LAA04724; Tue, 29 Jul 1997 11:13:24 +0400 (DST) Date: Tue, 29 Jul 1997 11:13:24 +0400 (DST) Message-Id: <199707290713.LAA04724@ns.cs.msu.su> From: "Sergei S. Laskavy" To: langfod@dihelix.com CC: vince@mail.MCESTATE.COM, security@FreeBSD.ORG, mario1@PrimeNet.Com, johnnyu@accessus.net In-reply-to: <199707281830.IAA15209@caliban.dihelix.com> (langfod@dihelix.com) Subject: Re: security hole in FreeBSD Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >>>>> "David" == David Langford writes: David> I recently caught a breakin faily simaliar. The perp [...] David> replace /bin/login with one that would let them login to David> ANY account with a password of "lemmein". The login would David> NOT be logged and so it was very difficult to tell what was David> going on. David> My only guess is that they used the old suidperl hack to David> get root. Supposedly this doesnt work on newer perl David> though. Please, add a note about insecure sperl4.036 and sperl5.003 somewhere in ERRATA.TXT or in SECURITY.TXT or even in README.TXT and maybe in some other appropriate places. People are still just downloading the "bin" distribution and then hackers are able to gain root easily. David> My suggestion to you would be to get a clean source tree, David> recompile everything and install tripwire. David> -David Langford langfod@dihelix.com