From owner-freebsd-security Mon Jul 15 00:43:10 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA11727 for security-outgoing; Mon, 15 Jul 1996 00:43:10 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA11721; Mon, 15 Jul 1996 00:43:08 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id AAA22765; Mon, 15 Jul 1996 00:43:05 -0700 (PDT) Date: Mon, 15 Jul 1996 00:43:05 -0700 (PDT) From: -Vince- To: Poul-Henning Kamp cc: jbhunt , freebsd-security-notification@freebsd.org, freebsd-security@freebsd.org, root@mercury.gaianet.net Subject: Re: New EXPLOIT located! In-Reply-To: <4865.837416101@critter.tfs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 15 Jul 1996, Poul-Henning Kamp wrote: > >Ok, for almost 3 weeks now we at Gaianet have been tracking root hackers > >around our box. FINALLY, today at about 3 pm one of them made a BIG BIG > >mistake. Fortunately, for us I was around to watch what happened and kill > >the user before he was able to erase his history files and the exploit > >itself. So here are the files necessary to fix whatever hole this > >exploits. We run Freebsd Current so it obviously makes most freebsd > >systems vulnerable to a root attack. I appreciate any help you can offer. > > OK, this is the rdist hole, it's already being worked in I think. > > remove the rdist program from your system, or just remove the setuid > bit from it. > > Do normal "we've been hacked cleanup". While we're at the subject, is there a hole with mount_msdos also because the guy had some text on mount_msdos but I deleted the /sbin/mount_msdos and -current still installs with the setuid bit... Vince