From owner-freebsd-hackers Mon Jun 24 13:46:08 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA00821 for hackers-outgoing; Mon, 24 Jun 1996 13:46:08 -0700 (PDT) Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA00798; Mon, 24 Jun 1996 13:45:54 -0700 (PDT) Received: from grumble.grondar.za (mark@localhost.grondar.za [127.0.0.1]) by grumble.grondar.za (8.7.5/8.7.3) with ESMTP id WAA06435; Mon, 24 Jun 1996 22:43:37 +0200 (SAT) Message-Id: <199606242043.WAA06435@grumble.grondar.za> To: Veggy Vinny cc: Mark Murray , Wilko Bulte , "Jordan K. Hubbard" , guido@gvr.win.tue.nl, hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! Date: Mon, 24 Jun 1996 22:43:36 +0200 From: Mark Murray Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Veggy Vinny wrote: > > With a setuid bit? > > Not too sure... ls -al will tell you this. Come on :-) > > Does ktrace(1) give any clues? > > Nope... :-( > > > What do you get from strings(1)? (Long shot..) > > -rwsr-xr-x 1 root users 278528 Jun 18 04:01 root is from the dir ^ | This is a setuid prog. The program is owned by root, and is SETUID, therefore it will run as if it were root. It is probably a shell (bash, sh, csh) renamed to root and setuid. "chmod 755 root" will cut it down to size. > listing. as for strings... it's really long... Try me. Cut out the rubbish and the library crap. > > What other exploration have you done? > > Not much really..... I do remember seeing someone like hack root > using ypwhich and it worked too.... that was on 2.1R... -current seemed > to fix it... M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key