From owner-freebsd-security Mon Nov 8 11:17: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 6689C14E7E for ; Mon, 8 Nov 1999 11:16:59 -0800 (PST) (envelope-from mike@sentex.net) Received: from simoeon (simeon.sentex.ca [209.112.4.47]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id OAA13238; Mon, 8 Nov 1999 14:16:58 -0500 (EST) Message-Id: <3.0.5.32.19991108141542.0181c690@staff.sentex.ca> X-Sender: mdtpop@staff.sentex.ca X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Mon, 08 Nov 1999 14:15:42 -0500 To: David Gilbert , freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: A new 'sploit? In-Reply-To: <14375.5840.975982.927941@trooper.velocet.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:30 PM 11/8/99 -0500, David Gilbert wrote: >On one of our client's servers, we found a directory structure full of >alternating Your public key (512-bit) goes here and >capital-A-repeated directory names. I assume the script kiddie should >have replaced all the capital-A's with their public key. Inside these >directories 'find.core' was linked to /root/.ssh/authorized_keys It is an 'old' exploit for the fts bug/hole. See the ongoing discussion "file name with questions - rm on it seg faults!!!" and ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-99:05.fts.asc This does effect 2.2.x, however if you cvsup RELENG_2_2 it is patched... ---Mike ------------------------------------------------------------------------ Mike Tancsa, tel 01.519.651.3400 Network Administrator, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message