From owner-freebsd-security  Mon Jul 28 08:45:20 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id IAA13429
          for security-outgoing; Mon, 28 Jul 1997 08:45:20 -0700 (PDT)
Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA13410
          for <security@FreeBSD.ORG>; Mon, 28 Jul 1997 08:45:14 -0700 (PDT)
Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33])
          by mexico.brainstorm.eu.org (8.8.4/8.8.4) with ESMTP
	  id RAA01141 for <security@FreeBSD.ORG>; Mon, 28 Jul 1997 17:45:11 +0200
Received: (from uucp@localhost)
	by brasil.brainstorm.eu.org (8.8.6/brasil-1.2) with UUCP id RAA04796
	for security@FreeBSD.ORG; Mon, 28 Jul 1997 17:44:52 +0200
Received: (from roberto@localhost) by keltia.freenix.fr (8.8.6/keltia-uucp-2.9) id RAA05405;
          Mon, 28 Jul 1997 17:16:34 +0200 (CEST)
Message-ID: <19970728171633.10794@keltia.freenix.fr>
Date: Mon, 28 Jul 1997 17:16:33 +0200
From: Ollivier Robert <roberto@keltia.freenix.fr>
To: security@FreeBSD.ORG
Subject: Re: security hole in FreeBSD
References: <Pine.BSF.3.95.970728031228.3844A-100000@mail.MCESTATE.COM>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.76
In-Reply-To: <Pine.BSF.3.95.970728031228.3844A-100000@mail.MCESTATE.COM>; from Vincent Poy on Mon, Jul 28, 1997 at 03:19:55AM -0700
X-Operating-System: FreeBSD 3.0-CURRENT ctm#3481 AMD-K6 MMX @ 208 MHz
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

According to Vincent Poy:
> 1) User on mercury machine complained about perl5 not working which was
> perl5.003 since libmalloc lib it was linked to was missing.
> 2) I recompiled the perl5 port from the ports tree and it's perl5.00403
> and it works.

I don't think he used perl to hack root unless you kept old versions of
Perl4 and Perl5. The buffer overflows in Perl4 were plugged in May by
Werner. 5.003+ holes are fixed in 5.004 and later.

> 6) We went to inetd.conf and shut off all daemons except telnetd and 
> rebooted and user still can get onto the machine invisibly.

That shows that he has used a spare port to hook a root shell on. In these
case, "netstat -a" or "lsof -i:TCP" will give you all connections,
including those on which a program is LISTENing to. That way you'll catch
any process left on a port.

-- 
Ollivier ROBERT -=- FreeBSD: There are no limits -=- roberto@keltia.freenix.fr
FreeBSD keltia.freenix.fr 3.0-CURRENT #23: Sun Jul 20 18:10:34 CEST 1997