From owner-freebsd-questions  Sun Nov 16 09:14:18 1997
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id JAA00830
          for questions-outgoing; Sun, 16 Nov 1997 09:14:18 -0800 (PST)
          (envelope-from owner-freebsd-questions)
Received: from ns1.hiper.net (ns1.hiper.net [207.137.172.11])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA00825
          for <questions@freebsd.org>; Sun, 16 Nov 1997 09:14:15 -0800 (PST)
          (envelope-from randyk@ccsales.com)
Received: from ntrkcasa (pool34.hiper.net [207.137.172.34])
	by ns1.hiper.net (8.8.5/8.8.5) with SMTP id JAA26829;
	Sun, 16 Nov 1997 09:34:12 GMT
Message-Id: <3.0.5.32.19971116091341.00ca0650@ccsales.com>
X-Sender: randyk@ccsales.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Sun, 16 Nov 1997 09:13:41 -0800
To: questions@freebsd.org
From: "Randy A. Katz" <randyk@ccsales.com>
Subject: HOW (HIJACK ROOT PROCESS)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Hello,

I suspect someone hijacked a root process, downloaded master.passwd, ran
cracker (or something like that) on it and gained complete access to one of
my systems.

I'm running FreeBSD 2.2.2 RELEASE with the latest sendmail, bind, mail que
software (qpop)...

I need to know how they gain access to a root process so I can try it and
patch up the hole there.

Please don't tell me to reinstall, I'll do that when I've understood the
access path.

Thanx (and HELP!!!)
Randy Katz