From owner-freebsd-security  Mon Jul 28 21:35:32 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id VAA07440
          for security-outgoing; Mon, 28 Jul 1997 21:35:32 -0700 (PDT)
Received: from hauki.clinet.fi (root@hauki.clinet.fi [194.100.0.1])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA07420;
          Mon, 28 Jul 1997 21:35:25 -0700 (PDT)
Received: from katiska.clinet.fi (root@katiska.clinet.fi [194.100.0.4])
	by hauki.clinet.fi (8.8.6/8.8.6) with ESMTP id HAA07028;
	Tue, 29 Jul 1997 07:34:20 +0300 (EET DST)
Received: (hsu@localhost) by katiska.clinet.fi (8.8.6/8.6.4) id HAA22497; Tue, 29 Jul 1997 07:34:20 +0300 (EEST)
Date: Tue, 29 Jul 1997 07:34:20 +0300 (EEST)
Message-Id: <199707290434.HAA22497@katiska.clinet.fi>
From: Heikki Suonsivu <hsu@mail.clinet.fi>
To: Vincent Poy <vince@mail.MCESTATE.COM>
Cc: Gary Palmer <gpalmer@FreeBSD.ORG>, security@FreeBSD.ORG,
        "[Mario1-]" <mario1@PrimeNet.Com>, JbHunt <johnnyu@accessus.net>
Subject: Re: security hole in FreeBSD 
In-Reply-To: <Pine.BSF.3.95.970728172905.3844O-100000@mail.MCESTATE.COM>
References: <3749.870135741@orion.webspan.net>
	<Pine.BSF.3.95.970728172905.3844O-100000@mail.MCESTATE.COM>
Organization: Clinet Ltd, Espoo, Finland
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


Vincent Poy writes:
 > 	Machines are offline already.  The hacker confronted us and said
 > that it was the default .rhosts file that came in the FreeBSD root account 
 > and he used perl5.00401 which had a security hole and then used rlogin to
 > login to another machine without the password.

There is no default .rhosts file in FreeBSD, so the hacker is probably
trying to avoid telling you what was the real hole.

Just for reference, there are large number of irc scripts which contain
backdoors (often well-disguised), which usually create .rhosts file with "+
+" in it.  The easiest way is to trick someone in the machine to run one of
those scripts and it opens the machine, then use one of the FreeBSD
holes or local misconfigurations to open the rest.

 > Cheers,
 > Vince - vince@MCESTATE.COM - vince@GAIANET.NET           ________   __ ____ 
 > Unix Networking Operations - FreeBSD-Real Unix for Free / / / / |  / |[__  ]
 > GaiaNet Corporation - M & C Estate                     / / / /  | /  | __] ]  
 > Beverly Hills, California USA 90210                   / / / / / |/ / | __] ]
 > HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]

-- 
Heikki Suonsivu, T{ysikuu 10 C 83/02210 Espoo/FINLAND, hsu@clinet.fi
mobile +358-40-5519679 work +358-9-43542270 fax -4555276