From owner-freebsd-hackers Wed Nov 19 14:51:04 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA08150 for hackers-outgoing; Wed, 19 Nov 1997 14:51:04 -0800 (PST) (envelope-from owner-freebsd-hackers) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA08129 for ; Wed, 19 Nov 1997 14:50:52 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [194.198.43.36]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id WAA10527; Wed, 19 Nov 1997 22:50:45 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.6/8.8.6) id XAA27441; Wed, 19 Nov 1997 23:50:45 +0100 (MET) Date: Wed, 19 Nov 1997 23:50:45 +0100 (MET) Message-Id: <199711192250.XAA27441@bitbox.follo.net> From: Eivind Eklund To: Randy Katz CC: wu-ftpd@wugate.wustl.edu, hackers@FreeBSD.ORG In-reply-to: Randy Katz's message of Wed, 19 Nov 1997 11:20:39 -0800 (PST) Subject: Re: strange things...HELP!!! References: Sender: owner-freebsd-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > Hello, > > I tried to find out how this hacker is doing it on an ISP list and they > said I was a hacker...HELP!!! > > The hacker ftp's into our server as a valid user (we will cancel him as > soon as we know how to keep him out). Hacker copies /etc/master.passwd to > his home directory. Hacker modified master.passwd. Hacker copies it back > to /etc/master.passwd. > > How is he doing this? I don't know, but if this is happening repeatedly I'd try using ktrace to find out what happens. It definitely sound like a wu-ftpd bug which happens before it drops privileges (or possibly a combination of a bug that happens after dropping privileges and a root exploit, e.g. the /proc exploit (fixed in -stable somewhat pre-2.2.5) or the open() problem (fixed in -stable a day or two post-2.2.5). Eivind.