From owner-freebsd-security Sat Feb 10 11:45:16 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id LAA07057 for security-outgoing; Sat, 10 Feb 1996 11:45:16 -0800 (PST) Received: from mailhub.aros.net (mailhub.aros.net [205.164.111.17]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id LAA07051 for ; Sat, 10 Feb 1996 11:45:14 -0800 (PST) Received: from terra.aros.net (terra.aros.net [205.164.111.10]) by mailhub.aros.net (8.6.12/Unknown) with ESMTP id MAA08522; Sat, 10 Feb 1996 12:45:36 -0700 Received: (from angio@localhost) by terra.aros.net (8.6.12/8.6.12) id MAA12583; Sat, 10 Feb 1996 12:45:12 -0700 From: Dave Andersen Message-Id: <199602101945.MAA12583@terra.aros.net> Subject: Re: User creating root-owned directories? To: taob@io.org (Brian Tao) Date: Sat, 10 Feb 1996 12:45:12 -0700 (MST) Cc: pst@shockwave.com, freebsd-security@freebsd.org In-Reply-To: from "Brian Tao" at Feb 10, 96 11:36:15 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org Precedence: bulk Lo and behold, Brian Tao once said: > I'll perform a more detailed scan for setuid and setgid programs > today then. A lot of our users run setuid CGI scripts (PHP tools, a > Web page logging package)... the hacker may have named a setuid > program after one of the PHP scripts to hide it from scrutiny. > Probably a good time to compare MD5 signatures on the system binaries > too... *sigh*. From the way the filename looks, it's almost tempting to say that someone got in through a poorly configured cgi-bin script of some type. Do you have setuid cgis lying around that might use user-input for generating a command line? (The "I got in ; ls" is what suggests it..) -Dave Andersen -- angio@aros.net Complete virtual hosting and business-oriented system administration Internet services. (WWW, FTP, email) http://www.aros.net/ http://www.aros.net/about/virtual/ "There are only two industries that refer to thier customers as 'users'."