From owner-freebsd-security Tue Jun 25 08:44:16 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA09942 for security-outgoing; Tue, 25 Jun 1996 08:44:16 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA09904; Tue, 25 Jun 1996 08:44:04 -0700 (PDT) Received: (from jbhunt@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id IAA05830; Tue, 25 Jun 1996 08:43:37 -0700 (PDT) Date: Tue, 25 Jun 1996 08:43:37 -0700 (PDT) From: jbhunt To: Michael Smith cc: -Vince- , mark@grumble.grondar.za, hackers@FreeBSD.ORG, security@FreeBSD.ORG, chad@mercury.gaianet.net Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606251242.WAA00732@genesis.atrad.adelaide.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Michael Smith wrote: > -Vince- stands accused of saying: > > > > Yeah, you have a point but jbhunt was watching the user as he > > hacked root since he brought the file from his own machine.... so that > > wasn't something the admin was tricked into doing.. > > ... so jbhunt should know exactly what he did. If they don't, then > you should sack them presto. > > But I don't think you understand; you cannot _make_ a file owned by > root unless you are _already_ root. > > > Vince > > -- > ]] Mike Smith, Software Engineer msmith@atrad.adelaide.edu.au [[ > ]] Genesis Software genesis@atrad.adelaide.edu.au [[ > ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ > ]] realtime instrument control (ph/fax) +61-8-267-3039 [[ > ]] Collector of old Unix hardware. "Where are your PEZ?" The Tick [[ > Ok, this is jb. First off all this copied from here to their as root didn't happen. I gave this fella an account knowing more than likely if we had a hole he would find it. Unfortunately I wasn't watching his tty when he actually used whatever exploit he used. He obviously used a setuid exploit so I suggest that there is a New exploit out abusing a setuid program somewhere on the system because I know vince fixed the mount_union and current fixed the old ypwhich hack. Or actually maybe not so old for some of you, but either way I did have to give him an account before he could do anything. However, once inside it took him 2 minutes and he was root. I know for a fact it was his FIRST look inside the system and I ran no scripts from his dir. That option is out so don't bother. I did start watching his tty after he took root but it was too late. I am open to any suggestions any of you have so far this seems to be a very constructive group :> John SysAdmin Gaianet