From owner-freebsd-security  Sun Nov  7 14:30:31 1999
Delivered-To: freebsd-security@freebsd.org
Received: from norn.ca.eu.org (cr965240-b.abtsfd1.bc.wave.home.com [24.113.19.137])
	by hub.freebsd.org (Postfix) with ESMTP id ED79614BE4
	for <freebsd-security@FreeBSD.ORG>; Sun,  7 Nov 1999 14:30:23 -0800 (PST)
	(envelope-from cpiazza@norn.ca.eu.org)
Received: by norn.ca.eu.org (Postfix, from userid 1000)
	id 820A713A; Sun,  7 Nov 1999 14:04:20 -0800 (PST)
Date: Sun, 7 Nov 1999 14:04:20 -0800
From: Chris Piazza <cpiazza@home.net>
To: Matt Behrens <matt@zigg.com>
Cc: freebsd-security@FreeBSD.ORG, skalir scalar <skalir@hotmail.com>
Subject: Re: file name with questions - rm on it seg faults!!!
Message-ID: <19991107140420.A6070@norn.ca.eu.org>
References: <19991107183534.5193.qmail@hotmail.com> <Pine.BSF.4.10.9911071501150.75101-100000@megaweapon.zigg.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.BSF.4.10.9911071501150.75101-100000@megaweapon.zigg.com>; from matt@zigg.com on Sun, Nov 07, 1999 at 03:05:42PM -0500
X-Operating-System: FreeBSD 4.0-CURRENT
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, Nov 07, 1999 at 03:05:42PM -0500, Matt Behrens wrote:
> On Sun, 7 Nov 1999, skalir scalar wrote:
> 
> : some fool on my system which I have removed but not his home
> : directory had this in it:
> : 
> : (root@hidden)[hidden]% ls -a
> : ?YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!? . ..
> : (root@hidden)[hidden]% rm -Rf *YOUR*
> : Segmentation fault (core dumped)
> : 
> : so how the fuck can I remove it?
> : 
> : thx!
> 
> Hardly seems security-related.  Would have been much better asked
> in -questions, and sans profanity (it sure doesn't seem like a
> situation where profanity is called for.)

Actually this does have some relevence to -security; it's created by
the exploit outlined in 
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-99:05.fts.asc

See http://www.freebsd.org/cgi/getmsg.cgi?fetch=89776+0+/usr/local/www/db/text/1999/freebsd-security/19990905.freebsd-security
and click the 'next in thread' link there.

I'd suggest that he updates his machine to 3.3-RELEASE or -STABLE...

> 
> First of all, since
> 
> 	touch '?YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE!?'
> 
> creates this file, it's logical to presume that
> 

The actual problem is the directory tree beneath that.  The fact that
it's still called "YOUR PUBLIC SSH1 KEY..." is a pretty good example
of a script kiddie who can't even read instructions :-).

-Chris
-- 
cpiazza@home.net   cpiazza@FreeBSD.org
        Abbotsford, BC, Canada


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message