From owner-freebsd-security Mon Nov 8 10:30:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from trooper.velocet.net (trooper.velocet.net [216.126.82.226]) by hub.freebsd.org (Postfix) with ESMTP id BEFA014C1E for ; Mon, 8 Nov 1999 10:30:42 -0800 (PST) (envelope-from dgilbert@trooper.velocet.net) Received: (from dgilbert@localhost) by trooper.velocet.net (8.9.3/8.9.3) id NAA02623; Mon, 8 Nov 1999 13:30:41 -0500 (EST) (envelope-from dgilbert) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14375.5840.975982.927941@trooper.velocet.net> Date: Mon, 8 Nov 1999 13:30:40 -0500 (EST) To: freebsd-security@freebsd.org Subject: A new 'sploit? X-Mailer: VM 6.75 under 20.4 "Emerald" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On one of our client's servers, we found a directory structure full of alternating Your public key (512-bit) goes here and capital-A-repeated directory names. I assume the script kiddie should have replaced all the capital-A's with their public key. Inside these directories 'find.core' was linked to /root/.ssh/authorized_keys Now... since my authorized_keys file is not overwritten, I gather that root processes don't drop core any longer? Maybe I have corefiles ulimited to 0. Anyways... I'm still stuck with trying to remove this giant block of directories. Bash won't allow me to cd into them, but if I cd into them with sh, I can get all the way to the end. Once I'm in that last directory, if I try to run any command (any non-internal command), I get: [1:\#:\!]\u@eve:\w> pwd | wc wc: argument list too long [1:\#:\!]\u@eve:\w> pwd >/tmp/foo [1:\#:\!]\u@eve:\w> wc /tmp/foo wc: argument list too long [1:\#:\!]\u@eve:\w> echo * find.core [1:\#:\!]\u@eve:\w> rm fine.core rm: argument list too long FYI (I'm not going to include the whole file): [1:19:319]root@eve:/usr/local/bin> wc /tmp/foo 601 2701 87914 /tmp/foo [1:20:320]root@eve:/usr/local/bin> head /tmp/foo /u/adam/10622/ YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE! /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE! /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE! /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE! /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ YOUR PUBLIC SSH1 KEY (-b 512) GOES HERE! Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message