Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 10 Feb 1996 01:24:44 -0500 (EST)
From:      Brian Tao <taob@io.org>
To:        FREEBSD-SECURITY-L <freebsd-security@freebsd.org>
Subject:   User creating root-owned directories?
Message-ID:  <Pine.BSF.3.91.960210011627.17721I-100000@zip.io.org>
next in thread | raw e-mail | index | archive | help 

    I was sent this message from one of our support staff.  Any ideas
how this user could have created the root directory?  It looks like a
sendmail hole, or an instance of exploiting a buffer that is then
passed through a shell interpreter (note the "ls ; !" portion of the
name).

    We are running a mixed BSD/OS, FreeBSD and NetBSD environment.
The mail server is a BSD/OS 2.0 machine running sendmail 8.6.12, shell
servers are FreeBSD 2.1 and the NFS server is NetBSD 1.1.  User home
directories are accessible on any of the above machines.

    In general, how does one go about tracking down this kind of
problem?  SementE is the nickname of a known hacker, and it really
bugs me when some snot-nosed kid finds security holes I don't.  :-/ ;-)
--
Brian Tao (BT300, taob@io.org)
Systems Administrator, Internex Online Inc.
"Though this be madness, yet there is method in't"

---------- Forwarded message ----------
Date: Sat, 10 Feb 1996 00:20:32 -0500 (EST)
From: Mark Salerno <mjs@io.org>
To: Brian Tao <taob@io.org>
Subject: Someone hacked root it seems.

This may be a false alarm, but..

this evening (friday) I received a message from a user online, who wanted 
me to notify oyou that someone had hacked root. Although I didn't believe 
him at first, here's the proof he gave. I entered into his directory and 
did an 'ls -lr'

total 164
-rw-r--r--  1 cfloyd  user     20 Jun 26  1995 
-rw-r--r--  1 cfloyd  user  82498 Aug 14 21:34 phoenix.irc
-rw-------  1 cfloyd  user  14893 Aug 14 21:31 phoenix.hlp
drwx------  2 cfloyd  user    512 Aug 30  1994 mail
-rw-------  1 cfloyd  user  27815 Aug 14 17:40 extras.irc
-rw-r--r--  1 cfloyd  user  35007 Dec 31 19:48 eggdox.doh
drwxr-xr-x  2 root    user    512 Feb  9 00:11 SementE wuz herels ; !
drwx------  4 cfloyd  user    512 Feb  3  1995 News
drwx------  2 cfloyd  user    512 Feb  8 00:49 Mail

look at the SementE file. owned by root. inside his dir. 
Not sure exactly what this means. Looks like someone has root. thought I 
s houdl let you know. If I'm just causing a false alarm, someone please 
splash me with a bottle of snapple ;)

-MS

--- MSofty: Mark Salerno - mjs@io.org, msofty@io.org
-- Internex Online Support Staff
- 20 Bay St., Suite 1625. Toronto, Ontario. M5J 2N8

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960210011627.17721I-100000>