From owner-freebsd-hackers  Mon Jun 24 14:57:50 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id OAA09176
          for hackers-outgoing; Mon, 24 Jun 1996 14:57:50 -0700 (PDT)
Received: from andrew.cmu.edu (ANDREW.CMU.EDU [128.2.10.101])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id OAA09155;
          Mon, 24 Jun 1996 14:57:39 -0700 (PDT)
Received: (from postman@localhost) by andrew.cmu.edu (8.7.5/8.7.3) id RAA05938; Mon, 24 Jun 1996 17:52:27 -0400
Received: via switchmail; Mon, 24 Jun 1996 17:52:25 -0400 (EDT)
Received: from unix13.andrew.cmu.edu via qmail
          ID </afs/andrew.cmu.edu/service/mailqs/q000/QF.Mlnks0W00YUp40YVFC>;
          Mon, 24 Jun 1996 17:52:00 -0400 (EDT)
Received: from unix13.andrew.cmu.edu via qmail
          ID </afs/andrew.cmu.edu/usr7/mwhite/.Outgoing/QF.8lnkrxi00YUpMCvVU0>;
          Mon, 24 Jun 1996 17:51:57 -0400 (EDT)
Received: from mms.4.60.Jan.26.1995.18.43.47.sun4c.411.EzMail.2.0.CUILIB.3.45.SNAP.NOT.LINKED.unix13.andrew.cmu.edu.sun4c.411
          via MS.5.6.unix13.andrew.cmu.edu.sun4c_411;
          Mon, 24 Jun 1996 17:51:57 -0400 (EDT)
Message-ID: <4lnkrxe00YUpQCvVNx@andrew.cmu.edu>
Date: Mon, 24 Jun 1996 17:51:57 -0400 (EDT)
From: Matthew Jason White <mwhite+@CMU.EDU>
To: Veggy Vinny <richardc@CSUA.Berkeley.EDU>
Subject: Re: I need help on this one - please help me track this guy down!
Cc: Mark Murray <mark@grumble.grondar.za>, Wilko Bulte <wilko@yedi.iaf.nl>,
        "Jordan K. Hubbard" <jkh@time.cdrom.com>, guido@gvr.win.tue.nl,
        hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org
In-Reply-To: <199606242043.WAA06435@grumble.grondar.za>
References: <199606242043.WAA06435@grumble.grondar.za>
Sender: owner-hackers@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

Excerpts from freebsd-security: 24-Jun-96 Re: I need help on this one..
by Mark Murray@grondar.za 
>      | This is a setuid prog. The program is owned by root, and is
>        SETUID, therefore it will run as if it were root. It is
>        probably a shell (bash, sh, csh) renamed to root and setuid.
>        "chmod 755 root" will cut it down to size.

I think perhaps a better question to be asking is how this guy got a
suid shell on that system.  It could have been a booby-trapped program
that got run as root, but one would hope that such a chintsy method
wouldn't work on most systems.


-Matt

-----
Matt White
Email: mwhite+@cmu.edu		http://www.cs.cmu.edu/afs/cs/user/mwhite/www/