From owner-freebsd-hackers Mon Jun 24 16:54:52 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA24630 for hackers-outgoing; Mon, 24 Jun 1996 16:54:52 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA24615; Mon, 24 Jun 1996 16:54:47 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id QAA18594; Mon, 24 Jun 1996 16:54:26 -0700 (PDT) Date: Mon, 24 Jun 1996 16:54:26 -0700 (PDT) From: -Vince- To: Matthew Jason White cc: Mark Murray , Wilko Bulte , "Jordan K. Hubbard" , guido@gvr.win.tue.nl, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <4lnkrxe00YUpQCvVNx@andrew.cmu.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 24 Jun 1996, Matthew Jason White wrote: > Excerpts from freebsd-security: 24-Jun-96 Re: I need help on this one.. > by Mark Murray@grondar.za > > | This is a setuid prog. The program is owned by root, and is > > SETUID, therefore it will run as if it were root. It is > > probably a shell (bash, sh, csh) renamed to root and setuid. > > "chmod 755 root" will cut it down to size. > > I think perhaps a better question to be asking is how this guy got a > suid shell on that system. It could have been a booby-trapped program > that got run as root, but one would hope that such a chintsy method > wouldn't work on most systems. Yeah, that's the real question is like if he can transfer the binary from another machine and have it work... other people can do the same thing and gain access to FreeBSD boxes as root as long as they have a account on that machine... Vince GaiaNet - System Administration