From owner-freebsd-hackers  Mon Jun 24 23:30:34 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id XAA20180
          for hackers-outgoing; Mon, 24 Jun 1996 23:30:34 -0700 (PDT)
Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA20152;
          Mon, 24 Jun 1996 23:30:24 -0700 (PDT)
Received: from grumble.grondar.za (mark@localhost.grondar.za [127.0.0.1]) by grumble.grondar.za (8.7.5/8.7.3) with ESMTP id IAA07815; Tue, 25 Jun 1996 08:25:11 +0200 (SAT)
Message-Id: <199606250625.IAA07815@grumble.grondar.za>
To: -Vince- <vince@mercury.gaianet.net>
cc: Matthew Jason White <mwhite+@CMU.EDU>,
        Mark Murray <mark@grumble.grondar.za>, Wilko Bulte <wilko@yedi.iaf.nl>,
        "Jordan K. Hubbard" <jkh@time.cdrom.com>, guido@gvr.win.tue.nl,
        hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org,
        Chad Shackley <chad@mercury.gaianet.net>,
        jbhunt <jbhunt@mercury.gaianet.net>
Subject: Re: I need help on this one - please help me track this guy down! 
Date: Tue, 25 Jun 1996 08:25:10 +0200
From: Mark Murray <mark@grumble.grondar.za.@grondar.za>
Sender: owner-hackers@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

-Vince- wrote:
> > I think perhaps a better question to be asking is how this guy got a
> > suid shell on that system.  It could have been a booby-trapped program
> > that got run as root, but one would hope that such a chintsy method
> > wouldn't work on most systems.
> 
> 	Yeah, that's the real question is like if he can transfer the 
> binary from another machine and have it work... other people can do the 
> same thing and gain access to FreeBSD boxes as root as long as they have 
> a account on that machine...

I must be a little harsh here, but I'll be diplomatic, OK? :-)

You didn't know it was a setuid file, in fact you seemed not to know
what a setuid file was. (Am I correct?) If someone has root on your
machine, which he will have if he has a setuid shell, he has the
ability to compromise your whole (possibly weakly set up) network.

If you do not know the basics, like setuid, you are WIDE open for this
kind of attack.

This shell could have been created two ways (That are currently in
popular cracker use):

1) The cracker snooped your root password somehow, (digging through
   your desk/dustbin or by running a snooper somewhere), then created
   this suid shell for future use.

2) The Cracker made a trojan script somewhere (usually exploiting
   some admins (roots) who have "." in their path). This way he creates
   a script that when run as root will make him a suid program.
   after this he has you by tender bits.

There are other ways, but these are the most popular.

For much more info, I recommend "Practical Unix Security" from
O'Reilly and Associates, (By Garfinkel?)

M
--
Mark Murray
46 Harvey Rd, Claremont, Cape Town 7700, South Africa
+27 21 61-3768 GMT+0200
Finger mark@grondar.za for PGP key