From owner-freebsd-security  Fri Feb  9 22:25:14 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id WAA21081
          for security-outgoing; Fri, 9 Feb 1996 22:25:14 -0800 (PST)
Received: from zip.io.org (root@zip.io.org [198.133.36.80])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id WAA21076
          for <freebsd-security@freebsd.org>; Fri, 9 Feb 1996 22:25:11 -0800 (PST)
Received: (from taob@localhost) by zip.io.org (8.6.12/8.6.12) id BAA08558; Sat, 10 Feb 1996 01:24:44 -0500
Date: Sat, 10 Feb 1996 01:24:44 -0500 (EST)
From: Brian Tao <taob@io.org>
To: FREEBSD-SECURITY-L <freebsd-security@freebsd.org>
Subject: User creating root-owned directories?
Message-ID: <Pine.BSF.3.91.960210011627.17721I-100000@zip.io.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
Precedence: bulk

    I was sent this message from one of our support staff.  Any ideas
how this user could have created the root directory?  It looks like a
sendmail hole, or an instance of exploiting a buffer that is then
passed through a shell interpreter (note the "ls ; !" portion of the
name).

    We are running a mixed BSD/OS, FreeBSD and NetBSD environment.
The mail server is a BSD/OS 2.0 machine running sendmail 8.6.12, shell
servers are FreeBSD 2.1 and the NFS server is NetBSD 1.1.  User home
directories are accessible on any of the above machines.

    In general, how does one go about tracking down this kind of
problem?  SementE is the nickname of a known hacker, and it really
bugs me when some snot-nosed kid finds security holes I don't.  :-/ ;-)
--
Brian Tao (BT300, taob@io.org)
Systems Administrator, Internex Online Inc.
"Though this be madness, yet there is method in't"

---------- Forwarded message ----------
Date: Sat, 10 Feb 1996 00:20:32 -0500 (EST)
From: Mark Salerno <mjs@io.org>
To: Brian Tao <taob@io.org>
Subject: Someone hacked root it seems.

This may be a false alarm, but..

this evening (friday) I received a message from a user online, who wanted 
me to notify oyou that someone had hacked root. Although I didn't believe 
him at first, here's the proof he gave. I entered into his directory and 
did an 'ls -lr'

total 164
-rw-r--r--  1 cfloyd  user     20 Jun 26  1995 
-rw-r--r--  1 cfloyd  user  82498 Aug 14 21:34 phoenix.irc
-rw-------  1 cfloyd  user  14893 Aug 14 21:31 phoenix.hlp
drwx------  2 cfloyd  user    512 Aug 30  1994 mail
-rw-------  1 cfloyd  user  27815 Aug 14 17:40 extras.irc
-rw-r--r--  1 cfloyd  user  35007 Dec 31 19:48 eggdox.doh
drwxr-xr-x  2 root    user    512 Feb  9 00:11 SementE wuz herels ; !
drwx------  4 cfloyd  user    512 Feb  3  1995 News
drwx------  2 cfloyd  user    512 Feb  8 00:49 Mail

look at the SementE file. owned by root. inside his dir. 
Not sure exactly what this means. Looks like someone has root. thought I 
s houdl let you know. If I'm just causing a false alarm, someone please 
splash me with a bottle of snapple ;)

-MS

--- MSofty: Mark Salerno - mjs@io.org, msofty@io.org
-- Internex Online Support Staff
- 20 Bay St., Suite 1625. Toronto, Ontario. M5J 2N8