From owner-freebsd-security  Tue Jun 25 13:31:40 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id NAA15195
          for security-outgoing; Tue, 25 Jun 1996 13:31:40 -0700 (PDT)
Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA15184
          for <security@freebsd.org>; Tue, 25 Jun 1996 13:31:37 -0700 (PDT)
Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id NAA15936; Tue, 25 Jun 1996 13:31:04 -0700 (PDT)
Date: Tue, 25 Jun 1996 13:31:04 -0700 (PDT)
From: -Vince- <vince@mercury.gaianet.net>
To: Arlen Fletcher <fletcher@paccar.com>
cc: security@freebsd.org, jbhunt <jbhunt@mercury.gaianet.net>,
        Chad Shackley <chad@mercury.gaianet.net>
Subject: Re: I need help on this one - please help me track this guy down!
In-Reply-To: <199606251653.JAA09261@mugwump.paccar.com>
Message-ID: <Pine.BSF.3.91.960625132911.25073H-100000@mercury.gaianet.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Tue, 25 Jun 1996, Arlen Fletcher wrote:

> At 08:43 AM 6/25/96 -0700, you wrote:
> >On Tue, 25 Jun 1996, Michael Smith wrote:
> >
> [snip]
>  
> >Ok, this is jb. First off all this copied from here to their as root 
> >didn't happen. I gave this fella an account knowing more than likely if 
> >we had a hole he would find it. Unfortunately I wasn't watching his tty 
> >when he actually used whatever exploit he used. He obviously used a 
> >setuid exploit so I suggest that there is a New exploit out abusing a 
> >setuid program somewhere on the system because I know vince fixed the 
> >mount_union and current fixed the old ypwhich hack. Or actually maybe not 
> >so old for some of you, but either way I did have to give him an account 
> >before he could do anything. However, once inside it took him 2 minutes 
> >and he was root. I know for a fact it was his FIRST look inside the 
> 
> 
> Did you by any chance check the history file?  I presume he vaporized it,
> but you never know....

	I did but he didn't have a history file..

> Of course it's 20/20 hindsight, but copying the history file somewhere
> else when you see a user doing something bizarre (like becomming root)
> might be worth thinking about in the future.

	Yeah, I always check the history file...

Vince