From owner-freebsd-hackers  Mon Jun 24 17:04:37 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id RAA25182
          for hackers-outgoing; Mon, 24 Jun 1996 17:04:37 -0700 (PDT)
Received: from po9.andrew.cmu.edu (PO9.ANDREW.CMU.EDU [128.2.10.109])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA25160;
          Mon, 24 Jun 1996 17:04:30 -0700 (PDT)
Received: (from postman@localhost) by po9.andrew.cmu.edu (8.7.5/8.7.3) id UAA09427; Mon, 24 Jun 1996 20:04:24 -0400
Received: via switchmail; Mon, 24 Jun 1996 20:04:22 -0400 (EDT)
Received: from unix13.andrew.cmu.edu via qmail
          ID </afs/andrew.cmu.edu/service/mailqs/q001/QF.Mlnmnqu00YUpI0YVUS>;
          Mon, 24 Jun 1996 20:04:07 -0400 (EDT)
Received: from unix13.andrew.cmu.edu via qmail
          ID </afs/andrew.cmu.edu/usr7/mwhite/.Outgoing/QF.olnmnpy00YUpEEa2N4>;
          Mon, 24 Jun 1996 20:04:06 -0400 (EDT)
Received: from mms.4.60.Jan.26.1995.18.43.47.sun4c.411.EzMail.2.0.CUILIB.3.45.SNAP.NOT.LINKED.unix13.andrew.cmu.edu.sun4c.411
          via MS.5.6.unix13.andrew.cmu.edu.sun4c_411;
          Mon, 24 Jun 1996 20:04:05 -0400 (EDT)
Message-ID: <0lnmnpy00YUp8Ea2EM@andrew.cmu.edu>
Date: Mon, 24 Jun 1996 20:04:05 -0400 (EDT)
From: Matthew Jason White <mwhite+@CMU.EDU>
Subject: Re: I need help on this one - please help me track this guy down!
Cc: hackers@FreeBSD.org, security@FreeBSD.org,
        Chad Shackley <chad@mercury.gaianet.net>,
        jbhunt <jbhunt@mercury.gaianet.net>
In-Reply-To: <Pine.BSF.3.91.960624165238.21697L-100000@mercury.gaianet.net>
References: <Pine.BSF.3.91.960624165238.21697L-100000@mercury.gaianet.net>
Sender: owner-hackers@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

Excerpts from freebsd-security: 24-Jun-96 Re: I need help on this one..
by -Vince-@mercury.gaianet. 
>         Yeah, that's the real question is like if he can transfer the 
> binary from another machine and have it work... other people can do the 
> same thing and gain access to FreeBSD boxes as root as long as they have 
> a account on that machine...

That shouldn't be possible.  FreeBSD wouldn't allow the transfer program
to assign root ownership to a program unless that program is run as
root.  The programs typically run on a FreeBSD system as root do not
assign ownership in this way.  This guy must've gotten root some other
way and then created the shell so that he could get root again in the
future.

You probably want to change the security script so that it points out
ALL suid programs in /usr/home, /tmp, /var/tmp and /usr/tmp, or any
other publicly writeable area.  Are you running inn1.4 on this system? 
If so, you should probably upgrade to inn-1.4uoff4 (this port should
prolly be upgraded, if someone hasn't already).


-Matt

-----
Matt White
Email: mwhite+@cmu.edu		http://www.cs.cmu.edu/afs/cs/user/mwhite/www/