From owner-freebsd-hackers  Mon Jun 24 16:40:24 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id QAA23857
          for hackers-outgoing; Mon, 24 Jun 1996 16:40:24 -0700 (PDT)
Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA23847;
          Mon, 24 Jun 1996 16:40:20 -0700 (PDT)
Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id QAA16166; Mon, 24 Jun 1996 16:39:39 -0700 (PDT)
Date: Mon, 24 Jun 1996 16:39:39 -0700 (PDT)
From: -Vince- <vince@mercury.gaianet.net>
To: Mark Murray <mark%grumble.grondar.za.@grondar.za>
cc: Mark Murray <mark@grumble.grondar.za>, Wilko Bulte <wilko@yedi.iaf.nl>,
        "Jordan K. Hubbard" <jkh@time.cdrom.com>, guido@gvr.win.tue.nl,
        hackers@freebsd.org, security@freebsd.org, ache@freebsd.org,
        jbhunt <jbhunt@mercury.gaianet.net>,
        Chad Shackley <chad@mercury.gaianet.net>
Subject: Re: I need help on this one - please help me track this guy down! 
In-Reply-To: <199606242043.WAA06435@grumble.grondar.za>
Message-ID: <Pine.BSF.3.91.960624163713.21697F-100000@mercury.gaianet.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 24 Jun 1996, Mark Murray wrote:

> Veggy Vinny wrote:
> > > With a setuid bit?
> > 
> > 	Not too sure...
> 
> ls -al will tell you this. Come on :-)

	Hmmm, okay :-)

> > > Does ktrace(1) give any clues?
> > 
> > 	Nope... :-(
> > 
> > > What do you get from strings(1)? (Long shot..)
> > 
> > -rwsr-xr-x     1 root  users  278528 Jun 18 04:01 root is from the dir 
>      ^
>      | This is a setuid prog. The program is owned by root, and is
>        SETUID, therefore it will run as if it were root. It is
>        probably a shell (bash, sh, csh) renamed to root and setuid.
>        "chmod 755 root" will cut it down to size.

	it does seem like sh or bash...

> > listing.  as for strings...  it's really long...
> 
> Try me. Cut out the rubbish and the library crap.

	Well, it's actually easier to mail you the binary...

> > > What other exploration have you done?
> > 
> > 	Not much really..... I do remember seeing someone like hack root 
> > using ypwhich and it worked too....  that was on 2.1R...  -current seemed 
> > to fix it...

Vince
System Adminstration/GaiaNet Corporation