Date: Tue, 25 Jun 1996 08:39:37 +0200 From: Mark Murray <mark@grumble.grondar.za.@grondar.za> To: -Vince- <vince@mercury.gaianet.net> Cc: Mark Murray <mark@grumble.grondar.za>, hackers@FreeBSD.org, security@FreeBSD.org, Chad Shackley <chad@mercury.gaianet.net>, jbhunt <jbhunt@mercury.gaianet.net> Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <199606250639.IAA08093@grumble.grondar.za>
next in thread | raw e-mail | index | archive | help
-Vince- wrote: > > If you do not know the basics, like setuid, you are WIDE open for this > > kind of attack. > > Well, I know what a setuid is but didn't know it was called a setuid > since it has that s in the permissions... Also, on our machine, the wheel > group only has chad, jbhunt, vince and root and the only person who can > login to root directly is chad at the console, we all need to su. Ok... > > This shell could have been created two ways (That are currently in > > popular cracker use): > > > > 1) The cracker snooped your root password somehow, (digging through > > your desk/dustbin or by running a snooper somewhere), then created > > this suid shell for future use. > > This isn't possible since Gaianet isn't opened to the public for > people to snoop around. Physically, OK, but electronically? > > 2) The Cracker made a trojan script somewhere (usually exploiting > > some admins (roots) who have "." in their path). This way he creates > > a script that when run as root will make him a suid program. > > after this he has you by tender bits. > > Hmmm, doesn't everyone have . as their path since all . does is allow > someone to run stuff from the current directory... Not root! this leaves you wide open for trojans. As root you should have to type ./foo to run foo in the current directory. > > There are other ways, but these are the most popular. > > > > For much more info, I recommend "Practical Unix Security" from > > O'Reilly and Associates, (By Garfinkel?) > > I have that book but there are always ways no one knows about ;) Sure! :-) M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606250639.IAA08093>