From owner-freebsd-security  Mon Jun 24 16:46:08 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id QAA24111
          for security-outgoing; Mon, 24 Jun 1996 16:46:08 -0700 (PDT)
Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA24092;
          Mon, 24 Jun 1996 16:46:01 -0700 (PDT)
Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id QAA17026; Mon, 24 Jun 1996 16:45:42 -0700 (PDT)
Date: Mon, 24 Jun 1996 16:45:42 -0700 (PDT)
From: -Vince- <vince@mercury.gaianet.net>
To: JULIAN Elischer <julian@ref.tfs.com>
cc: mark@grumble.grondar.za, wilko@yedi.iaf.nl, jkh@time.cdrom.com,
        guido@gvr.win.tue.nl, hackers@FreeBSD.org, security@FreeBSD.org,
        ache@FreeBSD.org, Chad Shackley <chad@mercury.gaianet.net>,
        jbhunt <jbhunt@mercury.gaianet.net>
Subject: Re: I need help on this one - please help me track this guy down!
In-Reply-To: <199606242059.NAA01968@ref.tfs.com>
Message-ID: <Pine.BSF.3.91.960624164353.21697G-100000@mercury.gaianet.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 24 Jun 1996, JULIAN Elischer wrote:

> > On Mon, 24 Jun 1996, Mark Murray wrote:
> > 
> > 
> > > What do you get from strings(1)? (Long shot..)
> > 
> > -rwsr-xr-x     1 root  users  278528 Jun 18 04:01 root is from the dir 
>      ^ DUH!
> There  was also the one that used rdist in daemon mode
> to rdist itself a new copy of /etc/passwd (and friends)
> 
> I haven't looked recently to see if that still works for FreeBSD..
> I last looked in  386BSD..

	Oh well, I remember in Linux when there was 386 0.1...  you can 
login as a regular user, run vi (elvis) on /etc/passwd and then suspend 
and then like recover and it would make a copy of /etc/passwd

Vince
GaiaNet System Administration