Date: Tue, 25 Jun 1996 18:56:44 +0300 (EET DST) From: Narvi <narvi@haldjas.folklore.ee> To: "Eric J. Schwertfeger" <ejs@bfd.com> Cc: -Vince- <vince@mercury.gaianet.net>, Mark Murray <mark@grumble.grondar.za>, hackers@FreeBSD.org, security@FreeBSD.org, Chad Shackley <chad@mercury.gaianet.net>, jbhunt <jbhunt@mercury.gaianet.net> Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <Pine.BSF.3.91.960625184918.4028A-100000@haldjas.folklore.ee> In-Reply-To: <Pine.BSI.3.94.960625073731.15315A-100000@harlie.bfd.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 25 Jun 1996, Eric J. Schwertfeger wrote: > > > On Tue, 25 Jun 1996, -Vince- wrote: > > > Yeah, you have a point but jbhunt was watching the user as he > > hacked root since he brought the file from his own machine.... so that > > wasn't something the admin was tricked into doing.. > > Then the important question is, how did he move the file so that it > retained the setuid bit? We're already pretty sure that the program is > only /bin/sh with the setuid bit turned on. So either he found a way to > move the file with the bit turned on, or he found a way to turn it on, > which reqires root access. How did he get the file there in the first place? Via ftp? Or did he just copy it over? Ftp seems to remove even the exec bit, let alone the setuid. Could there be a way of attack via a modified ftp server? Sander > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960625184918.4028A-100000>