From owner-freebsd-hackers Tue Jun 25 01:52:32 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA03863 for hackers-outgoing; Tue, 25 Jun 1996 01:52:32 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA03855; Tue, 25 Jun 1996 01:52:28 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id BAA17390; Tue, 25 Jun 1996 01:52:03 -0700 (PDT) Date: Tue, 25 Jun 1996 01:52:02 -0700 (PDT) From: -Vince- To: Don Yuniskis cc: mark@grumble.grondar.za, hackers@FreeBSD.ORG, security@FreeBSD.ORG, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606250851.BAA00894@seagull.rtd.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Don Yuniskis wrote: > It seems that -Vince- said: > > > > On Tue, 25 Jun 1996, Mark Murray wrote: > > > > > > In his home directory he places a script called "dir" that creates a > > > suid shell (silently) then prints the usual "command not found" error. > > > > > > He then phones you, asking for support, and tries to trick you into > > > running his script. Having "." in your path makes his trickery easier. > > > > Hmmm, that's only if we had phone support.... We don't :) but do > > admins really go run a program that the user said won't run? > > Well, it *appears* that one of *you* did! :> Well, jbhunt was the one who gave the user the account and the user just transferred the root which is /bin/sh with setuid and ran it and he got root.... Vince