From owner-freebsd-security  Tue Jun 25 09:48:25 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id JAA16410
          for security-outgoing; Tue, 25 Jun 1996 09:48:25 -0700 (PDT)
Received: from hive-queen.paccar.com (firewall-user@hive-queen.paccar.com [160.69.38.13])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA16398
          for <security@FreeBSD.org>; Tue, 25 Jun 1996 09:48:23 -0700 (PDT)
Received: (from uucp@localhost) by hive-queen.paccar.com (8.7.5/8.7.3) id JAA08514 for <security@FreeBSD.org>; Tue, 25 Jun 1996 09:41:55 -0700 (PDT)
Received: from mailhub.misrenton.paccar.com(160.69.10.5) by hive-queen.paccar.com via smap (V3.1)
	id xma008497; Tue, 25 Jun 96 09:41:28 -0700
Received: from mugwump.paccar.com (mugwump.paccar.com [160.69.30.11]) by mailhub.misrenton.paccar.com (8.7.5/8.7.3) with ESMTP id JAA28606 for <security@FreeBSD.org>; Tue, 25 Jun 1996 09:46:12 -0700 (PDT)
Received: from jane.techcenter.paccar.com (jane.techcenter.paccar.com [160.69.33.35]) by mugwump.paccar.com (8.7.5/8.7.3) with SMTP id JAA09261 for <security@FreeBSD.org>; Tue, 25 Jun 1996 09:53:11 -0700 (PDT)
Date: Tue, 25 Jun 1996 09:53:11 -0700 (PDT)
Message-Id: <199606251653.JAA09261@mugwump.paccar.com>
X-Sender: fletcher@mugwump.paccar.com
X-Mailer: Windows Eudora Light Version 1.5.2
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: security@FreeBSD.org
From: Arlen Fletcher <fletcher@paccar.com>
Subject: Re: I need help on this one - please help me track this guy
  down!
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

At 08:43 AM 6/25/96 -0700, you wrote:
>On Tue, 25 Jun 1996, Michael Smith wrote:
>
[snip]
 
>Ok, this is jb. First off all this copied from here to their as root 
>didn't happen. I gave this fella an account knowing more than likely if 
>we had a hole he would find it. Unfortunately I wasn't watching his tty 
>when he actually used whatever exploit he used. He obviously used a 
>setuid exploit so I suggest that there is a New exploit out abusing a 
>setuid program somewhere on the system because I know vince fixed the 
>mount_union and current fixed the old ypwhich hack. Or actually maybe not 
>so old for some of you, but either way I did have to give him an account 
>before he could do anything. However, once inside it took him 2 minutes 
>and he was root. I know for a fact it was his FIRST look inside the 


Did you by any chance check the history file?  I presume he vaporized it,
but you never know....

Of course it's 20/20 hindsight, but copying the history file somewhere
else when you see a user doing something bizarre (like becomming root)
might be worth thinking about in the future.

-----------------------------------------------------------------
Opinions expressed in this message are mine and not  necessarily 
those of my employer.
-----------------------------------------------------------------
Arlen Fletcher N7YIM
fletcher@paccar.com