From owner-freebsd-security  Wed Apr 24 15:54:16 2002
Delivered-To: freebsd-security@freebsd.org
Received: from pike.epylon.com (mail03.epylon.com [63.93.9.99])
	by hub.freebsd.org (Postfix) with ESMTP id 032B937B400
	for <freebsd-security@freebsd.org>; Wed, 24 Apr 2002 15:54:11 -0700 (PDT)
Received: from [192.168.4.56] (sf-gw.epylon.com [63.93.9.98])
	by pike.epylon.com (Postfix) with ESMTP
	id 4014759211; Wed, 24 Apr 2002 15:52:35 -0700 (PDT)
Date: Wed, 24 Apr 2002 16:02:11 -0700
From: Jason DiCioccio <geniusj@bluenugget.net>
Reply-To: "Jason DiCioccio (reply)" <geniusj+categories.replies@bluenugget.net>
To: "Patrick O. Fish" <patrick@pwhsnet.com>,
	freebsd-security@freebsd.org
Subject: Re: su: s/key
Message-ID: <513728078.1019664131@[192.168.4.56]>
In-Reply-To: <009101c1ebdf$341b4000$0300a8c0@zeus>
References:  <009101c1ebdf$341b4000$0300a8c0@zeus>
X-Mailer: Mulberry/2.1.2 (Win32)
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="==========513747854=========="
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

--==========513747854==========
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

--On Wednesday, April 24, 2002 3:27 PM -0700 "Patrick O. Fish"=20
<patrick@pwhsnet.com> wrote:

> I just got back from a vacation today.  I had an email from my security
> officer saying that he was able to use an exploit to get root, and that =
he
> patched it (took suid off that file).  I goto su, and i get this:
>
> patrick@apollo:~$ su
> s/key 95 snosoft2
> Password:
>

If what you're saying is that when you got back from vacation and tried to=20
su, you got that s/key prompt, then it looks like someone has already used=20
the stdio exploit on your box.

Cheers,
-JD-

----
Useless .sig
--==========513747854==========
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32)
Comment: For info see http://www.gnupg.org

iD8DBQE8xzl201CVlgQ2fAgRAi4xAKCFILgdcuL4LwHO5nFRHriu5L4oaACfQxKE
Gllu+57HesHM9sWmB/mOD1g=
=D1nN
-----END PGP SIGNATURE-----

--==========513747854==========--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message