From owner-freebsd-security  Sun Feb 25 13:21:33 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id NAA20434
          for security-outgoing; Sun, 25 Feb 1996 13:21:33 -0800 (PST)
Received: from nervosa.com (root@nervosa.com [192.187.228.86])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id NAA20410
          for <freebsd-security@FreeBSD.ORG>; Sun, 25 Feb 1996 13:21:08 -0800 (PST)
Received: from nervosa.com (coredump@onyx.nervosa.com [10.0.0.1]) by nervosa.com (8.7.4/nervosa.com.2) with SMTP id NAA08497; Sun, 25 Feb 1996 13:19:18 -0800 (PST)
Date: Sun, 25 Feb 1996 13:19:18 -0800 (PST)
From: invalid opcode <coredump@nervosa.com>
To: Brian Tao <taob@io.org>
cc: FREEBSD-SECURITY-L <freebsd-security@FreeBSD.ORG>
Subject: Re: Suspicious symlinks in /tmp
In-Reply-To: <Pine.BSF.3.91.960224170513.186B-100000@zap.io.org>
Message-ID: <Pine.BSF.3.91.960225131851.8196F-100000@nervosa.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@FreeBSD.ORG
Precedence: bulk

On Sat, 24 Feb 1996, Brian Tao wrote:

> lrwxrwxrwt   1 bin       user       21 Feb 24 17:04 passwd-link.19573 -> /tmp/passwd-dir.19573
> lrwxrwxrwt   1 bin       user       21 Feb 24 17:04 passwd-link.20196 -> /tmp/passwd-dir.20196
> lrwxrwxrwt   1 bin       user       21 Feb 24 17:04 passwd-link.20543 -> /tmp/passwd-dir.20543
> 
> Brian Tao (BT300, taob@io.org)

Looks like someone is trying to exploit a race condition in order to grab 
the password file.

== Chris Layne ==============================================================
== coredump@nervosa.com ================= http://www.nervosa.com/~coredump ==