Date: Mon, 24 Jun 1996 23:46:03 -0700 (PDT) From: -Vince- <vince@mercury.gaianet.net> To: Mark Murray <mark@grumble.grondar.za> Cc: hackers@FreeBSD.org, security@FreeBSD.org, Chad Shackley <chad@mercury.gaianet.net>, jbhunt <jbhunt@mercury.gaianet.net> Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <Pine.BSF.3.91.960624234156.21697d-100000@mercury.gaianet.net> In-Reply-To: <199606250639.IAA08093@grumble.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 25 Jun 1996, Mark Murray wrote: > -Vince- wrote: > > > If you do not know the basics, like setuid, you are WIDE open for this > > > kind of attack. > > > > Well, I know what a setuid is but didn't know it was called a setuid > > since it has that s in the permissions... Also, on our machine, the wheel > > group only has chad, jbhunt, vince and root and the only person who can > > login to root directly is chad at the console, we all need to su. > > Ok... > > > > This shell could have been created two ways (That are currently in > > > popular cracker use): > > > > > > 1) The cracker snooped your root password somehow, (digging through > > > your desk/dustbin or by running a snooper somewhere), then created > > > this suid shell for future use. > > > > This isn't possible since Gaianet isn't opened to the public for > > people to snoop around. > > Physically, OK, but electronically? Electronically is a different story.... Since there are over 1000 users on this machine.... but we do know who hacked root access... on our other machine earth like i mentioned earlier, one person just did ypwhich to get root access but that was with 2.1R, -current seemed to fix this. > > > 2) The Cracker made a trojan script somewhere (usually exploiting > > > some admins (roots) who have "." in their path). This way he creates > > > a script that when run as root will make him a suid program. > > > after this he has you by tender bits. > > > > Hmmm, doesn't everyone have . as their path since all . does is allow > > someone to run stuff from the current directory... > > Not root! this leaves you wide open for trojans. As root you should > have to type ./foo to run foo in the current directory. Hmmm, really? It seems like almost all systems root has . for the path but if the directory for root is like read, write, execute by root only, how will they get into it? > > > There are other ways, but these are the most popular. > > > > > > For much more info, I recommend "Practical Unix Security" from > > > O'Reilly and Associates, (By Garfinkel?) > > > > I have that book but there are always ways no one knows about ;) > > Sure! :-) That's the thing like the mount_union hole, that has probably been there for ages and other people may have been using it as a backdoor for quite some time before it was discovered.... Vince
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960624234156.21697d-100000>