Date: Tue, 25 Jun 1996 13:39:04 -0700 (PDT) From: -Vince- <vince@mercury.gaianet.net> To: jbhunt <jbhunt@mercury.gaianet.net> Cc: Mark Murray <mark@grumble.grondar.za>, Michael Smith <msmith@atrad.adelaide.edu.au>, mark@grondar.za, security@FreeBSD.ORG, chad@mercury.gaianet.net Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <Pine.BSF.3.91.960625133204.25073I-100000@mercury.gaianet.net> In-Reply-To: <Pine.BSF.3.91.960625124743.7346A-100000@mercury.gaianet.net>
index | next in thread | previous in thread | raw e-mail
On Tue, 25 Jun 1996, jbhunt wrote: > On Tue, 25 Jun 1996, Mark Murray wrote: > > > [hackers removed from cc: - the crosspost is getting a bit much there] > > > > jbhunt wrote: > > > Ok, this is jb. First off all this copied from here to their as root > > > didn't happen. I gave this fella an account knowing more than likely if > > > we had a hole he would find it. Unfortunately I wasn't watching his tty > > > when he actually used whatever exploit he used. > > > > Ok... > > > > > He obviously used a > > > setuid exploit so I suggest that there is a New exploit out abusing a > > > setuid program somewhere on the system because I know vince fixed the > > > mount_union and current fixed the old ypwhich hack. > > > > Not so fast. You didn't see what he did, but you are claiming suid. > > maybe, maybe not. You don't _know_. > > > > > Or actually maybe not > > > so old for some of you, but either way I did have to give him an account > > > before he could do anything. However, once inside it took him 2 minutes > > > and he was root. I know for a fact it was his FIRST look inside the > > > system and I ran no scripts from his dir. > > > > How do you know? If "." is in your path, you run a script from wherever > > you are - /tmp, /var/tmp, /var/mail if you have made that world writable > > etc. What other world writable directories do you have? what runs out > > of cron? What is automatically executed when you run emacs? vi? what > > is your EDITOR setting for vipw? Do you read your daily security report? the directories world writeable are /tmp and /var/tmp.... /var/mail isn't. nothing runs out of cron since we don't allow crontabs from anyone other than root. We don't have emacs installed and vi just runs /usr/bin/vi. vipw is using vi... and we do read out daily security report... > > Create a new suid file and see if it is reoported the next day. > > > > > That option is out so don't > > > bother. I did start watching his tty after he took root but it was too > > > late. I am open to any suggestions any of you have so far this seems to > > > be a very constructive group :> > > > > The most constructive suggestion at the moment is to look for your own > > mistakes, and be more open to them. So far it seems you (collectively) > > have made lots, but aren't admitting this - even to yourselves. > > > > Ask him what he did - maybe he'll even tell you? :-) If it is a FreeBSD > > security hole, We'll all thank him and you for finding it :-). > > > Yes I read the security reports as I said it hasn't been reporting any > unusual suid programs. No, he won't tell me I already asked of course. As > vince stated we are remote admin's we both have to su to root so the only > person on the actual console is chad. As for running a script I know for > a fact that I wasn't running anything at the time. I know this guys > methods for the most part so I am almost sure he has some new exploit. He > also claims to have one that EVERY linux box is vulnerable to of course > he won't tell me or give it to me. Vincehelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960625133204.25073I-100000>