Date: Tue, 25 Jun 1996 08:25:10 +0200 From: Mark Murray <mark@grumble.grondar.za.@grondar.za> To: -Vince- <vince@mercury.gaianet.net> Cc: Matthew Jason White <mwhite+@CMU.EDU>, Mark Murray <mark@grumble.grondar.za>, Wilko Bulte <wilko@yedi.iaf.nl>, "Jordan K. Hubbard" <jkh@time.cdrom.com>, guido@gvr.win.tue.nl, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org, Chad Shackley <chad@mercury.gaianet.net>, jbhunt <jbhunt@mercury.gaianet.net> Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <199606250625.IAA07815@grumble.grondar.za>
next in thread | raw e-mail | index | archive | help
-Vince- wrote: > > I think perhaps a better question to be asking is how this guy got a > > suid shell on that system. It could have been a booby-trapped program > > that got run as root, but one would hope that such a chintsy method > > wouldn't work on most systems. > > Yeah, that's the real question is like if he can transfer the > binary from another machine and have it work... other people can do the > same thing and gain access to FreeBSD boxes as root as long as they have > a account on that machine... I must be a little harsh here, but I'll be diplomatic, OK? :-) You didn't know it was a setuid file, in fact you seemed not to know what a setuid file was. (Am I correct?) If someone has root on your machine, which he will have if he has a setuid shell, he has the ability to compromise your whole (possibly weakly set up) network. If you do not know the basics, like setuid, you are WIDE open for this kind of attack. This shell could have been created two ways (That are currently in popular cracker use): 1) The cracker snooped your root password somehow, (digging through your desk/dustbin or by running a snooper somewhere), then created this suid shell for future use. 2) The Cracker made a trojan script somewhere (usually exploiting some admins (roots) who have "." in their path). This way he creates a script that when run as root will make him a suid program. after this he has you by tender bits. There are other ways, but these are the most popular. For much more info, I recommend "Practical Unix Security" from O'Reilly and Associates, (By Garfinkel?) M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606250625.IAA07815>