From owner-freebsd-security Tue Jun 25 13:39:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA16566 for security-outgoing; Tue, 25 Jun 1996 13:39:43 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA16548 for ; Tue, 25 Jun 1996 13:39:39 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id NAA17828; Tue, 25 Jun 1996 13:39:04 -0700 (PDT) Date: Tue, 25 Jun 1996 13:39:04 -0700 (PDT) From: -Vince- To: jbhunt cc: Mark Murray , Michael Smith , mark@grondar.za, security@FreeBSD.ORG, chad@mercury.gaianet.net Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, jbhunt wrote: > On Tue, 25 Jun 1996, Mark Murray wrote: > > > [hackers removed from cc: - the crosspost is getting a bit much there] > > > > jbhunt wrote: > > > Ok, this is jb. First off all this copied from here to their as root > > > didn't happen. I gave this fella an account knowing more than likely if > > > we had a hole he would find it. Unfortunately I wasn't watching his tty > > > when he actually used whatever exploit he used. > > > > Ok... > > > > > He obviously used a > > > setuid exploit so I suggest that there is a New exploit out abusing a > > > setuid program somewhere on the system because I know vince fixed the > > > mount_union and current fixed the old ypwhich hack. > > > > Not so fast. You didn't see what he did, but you are claiming suid. > > maybe, maybe not. You don't _know_. > > > > > Or actually maybe not > > > so old for some of you, but either way I did have to give him an account > > > before he could do anything. However, once inside it took him 2 minutes > > > and he was root. I know for a fact it was his FIRST look inside the > > > system and I ran no scripts from his dir. > > > > How do you know? If "." is in your path, you run a script from wherever > > you are - /tmp, /var/tmp, /var/mail if you have made that world writable > > etc. What other world writable directories do you have? what runs out > > of cron? What is automatically executed when you run emacs? vi? what > > is your EDITOR setting for vipw? Do you read your daily security report? the directories world writeable are /tmp and /var/tmp.... /var/mail isn't. nothing runs out of cron since we don't allow crontabs from anyone other than root. We don't have emacs installed and vi just runs /usr/bin/vi. vipw is using vi... and we do read out daily security report... > > Create a new suid file and see if it is reoported the next day. > > > > > That option is out so don't > > > bother. I did start watching his tty after he took root but it was too > > > late. I am open to any suggestions any of you have so far this seems to > > > be a very constructive group :> > > > > The most constructive suggestion at the moment is to look for your own > > mistakes, and be more open to them. So far it seems you (collectively) > > have made lots, but aren't admitting this - even to yourselves. > > > > Ask him what he did - maybe he'll even tell you? :-) If it is a FreeBSD > > security hole, We'll all thank him and you for finding it :-). > > > Yes I read the security reports as I said it hasn't been reporting any > unusual suid programs. No, he won't tell me I already asked of course. As > vince stated we are remote admin's we both have to su to root so the only > person on the actual console is chad. As for running a script I know for > a fact that I wasn't running anything at the time. I know this guys > methods for the most part so I am almost sure he has some new exploit. He > also claims to have one that EVERY linux box is vulnerable to of course > he won't tell me or give it to me. Vince