From owner-freebsd-hackers Tue Jun 25 04:11:55 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id EAA15270 for hackers-outgoing; Tue, 25 Jun 1996 04:11:55 -0700 (PDT) Received: from seagull.rtd.com (root@seagull.rtd.com [198.102.68.2]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id EAA15248; Tue, 25 Jun 1996 04:11:50 -0700 (PDT) Received: (from dgy@localhost) by seagull.rtd.com (8.7.5/1.2) id EAA10554; Tue, 25 Jun 1996 04:05:40 -0700 (MST) From: Don Yuniskis Message-Id: <199606251105.EAA10554@seagull.rtd.com> Subject: Re: I need help on this one - please help me track this guy down! To: mark@grumble.grondar.za.@grondar.za (Mark Murray) Date: Tue, 25 Jun 1996 04:05:40 -0700 (MST) Cc: vince@mercury.gaianet.net, dgy@rtd.com, mark@grumble.grondar.za, hackers@FreeBSD.ORG, security@FreeBSD.ORG, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net In-Reply-To: <199606251002.MAA09345@grumble.grondar.za> from "Mark Murray" at Jun 25, 96 12:02:23 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > > Well, it *appears* that one of *you* did! :> > > > > Well, jbhunt was the one who gave the user the account and the > > user just transferred the root which is /bin/sh with setuid and ran it > > and he got root.... > > Review that. _Carefully_. I think you are seriously WRONG there. That > user did something sneaky, and you did not see it. I STRONGLKY suggest "vince" repeat exactly what he's said here. When he realizes it's "just not so", perhaps he'll rethink his NEXT post. 1) As root, create *any* suid file. Heck, use this guy's "root" file just in case you can't do it yourself. 2) As non-root, try to make a copy of that file... use cp, cat >, ftp it, up/download it via kermit, etc. Let us know what you learn in the process!