From owner-freebsd-security Mon Jun 24 23:47:17 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA22073 for security-outgoing; Mon, 24 Jun 1996 23:47:17 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA22055; Mon, 24 Jun 1996 23:47:12 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id XAA01680; Mon, 24 Jun 1996 23:46:04 -0700 (PDT) Date: Mon, 24 Jun 1996 23:46:03 -0700 (PDT) From: -Vince- To: Mark Murray cc: hackers@FreeBSD.org, security@FreeBSD.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606250639.IAA08093@grumble.grondar.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Mark Murray wrote: > -Vince- wrote: > > > If you do not know the basics, like setuid, you are WIDE open for this > > > kind of attack. > > > > Well, I know what a setuid is but didn't know it was called a setuid > > since it has that s in the permissions... Also, on our machine, the wheel > > group only has chad, jbhunt, vince and root and the only person who can > > login to root directly is chad at the console, we all need to su. > > Ok... > > > > This shell could have been created two ways (That are currently in > > > popular cracker use): > > > > > > 1) The cracker snooped your root password somehow, (digging through > > > your desk/dustbin or by running a snooper somewhere), then created > > > this suid shell for future use. > > > > This isn't possible since Gaianet isn't opened to the public for > > people to snoop around. > > Physically, OK, but electronically? Electronically is a different story.... Since there are over 1000 users on this machine.... but we do know who hacked root access... on our other machine earth like i mentioned earlier, one person just did ypwhich to get root access but that was with 2.1R, -current seemed to fix this. > > > 2) The Cracker made a trojan script somewhere (usually exploiting > > > some admins (roots) who have "." in their path). This way he creates > > > a script that when run as root will make him a suid program. > > > after this he has you by tender bits. > > > > Hmmm, doesn't everyone have . as their path since all . does is allow > > someone to run stuff from the current directory... > > Not root! this leaves you wide open for trojans. As root you should > have to type ./foo to run foo in the current directory. Hmmm, really? It seems like almost all systems root has . for the path but if the directory for root is like read, write, execute by root only, how will they get into it? > > > There are other ways, but these are the most popular. > > > > > > For much more info, I recommend "Practical Unix Security" from > > > O'Reilly and Associates, (By Garfinkel?) > > > > I have that book but there are always ways no one knows about ;) > > Sure! :-) That's the thing like the mount_union hole, that has probably been there for ages and other people may have been using it as a backdoor for quite some time before it was discovered.... Vince