From owner-freebsd-hackers Mon Jun 24 23:33:36 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA20346 for hackers-outgoing; Mon, 24 Jun 1996 23:33:36 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA20340; Mon, 24 Jun 1996 23:33:33 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id XAA00291; Mon, 24 Jun 1996 23:32:56 -0700 (PDT) Date: Mon, 24 Jun 1996 23:32:55 -0700 (PDT) From: -Vince- To: Mark Murray cc: hackers@FreeBSD.org, security@FreeBSD.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606250625.IAA07815@grumble.grondar.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Mark Murray wrote: > -Vince- wrote: > > > I think perhaps a better question to be asking is how this guy got a > > > suid shell on that system. It could have been a booby-trapped program > > > that got run as root, but one would hope that such a chintsy method > > > wouldn't work on most systems. > > > > Yeah, that's the real question is like if he can transfer the > > binary from another machine and have it work... other people can do the > > same thing and gain access to FreeBSD boxes as root as long as they have > > a account on that machine... > > I must be a little harsh here, but I'll be diplomatic, OK? :-) > > You didn't know it was a setuid file, in fact you seemed not to know > what a setuid file was. (Am I correct?) If someone has root on your > machine, which he will have if he has a setuid shell, he has the > ability to compromise your whole (possibly weakly set up) network. > > If you do not know the basics, like setuid, you are WIDE open for this > kind of attack. Well, I know what a setuid is but didn't know it was called a setuid since it has that s in the permissions... Also, on our machine, the wheel group only has chad, jbhunt, vince and root and the only person who can login to root directly is chad at the console, we all need to su. > This shell could have been created two ways (That are currently in > popular cracker use): > > 1) The cracker snooped your root password somehow, (digging through > your desk/dustbin or by running a snooper somewhere), then created > this suid shell for future use. This isn't possible since Gaianet isn't opened to the public for people to snoop around. > 2) The Cracker made a trojan script somewhere (usually exploiting > some admins (roots) who have "." in their path). This way he creates > a script that when run as root will make him a suid program. > after this he has you by tender bits. Hmmm, doesn't everyone have . as their path since all . does is allow someone to run stuff from the current directory... > There are other ways, but these are the most popular. > > For much more info, I recommend "Practical Unix Security" from > O'Reilly and Associates, (By Garfinkel?) I have that book but there are always ways no one knows about ;) Vince