From owner-freebsd-questions Mon Nov 17 20:14:57 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id UAA15517 for questions-outgoing; Mon, 17 Nov 1997 20:14:57 -0800 (PST) (envelope-from owner-freebsd-questions) Received: from coal.sentex.ca (coal.sentex.ca [209.112.4.16]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id UAA15512 for ; Mon, 17 Nov 1997 20:14:54 -0800 (PST) (envelope-from mike@sentex.net) Received: from gravel-remote.sentex.ca (gravel-remote.sentex.ca [209.112.4.181]) by coal.sentex.ca (8.8.7/8.8.7) with SMTP id XAA02318; Mon, 17 Nov 1997 23:23:52 -0500 (EST) (envelope-from mike@sentex.net) From: mike@sentex.net (Mike Tancsa) To: randyk@ccsales.com ("Randy A. Katz") Cc: questions@freebsd.org Subject: Re: HOW (HIJACK ROOT PROCESS) Date: Tue, 18 Nov 1997 04:07:48 GMT Message-ID: <347113cd.4961454@coal.sentex.net> References: <3.0.5.32.19971116091341.00ca0650@ccsales.com> In-Reply-To: <3.0.5.32.19971116091341.00ca0650@ccsales.com> X-Mailer: Forte Agent .99e/32.227 Sender: owner-freebsd-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 16 Nov 1997 09:13:41 -0800, in sentex.lists.freebsd.questions you wrote: >Hello, > >I suspect someone hijacked a root process, downloaded master.passwd, ran >cracker (or something like that) on it and gained complete access to one of >my systems. > >I'm running FreeBSD 2.2.2 RELEASE with the latest sendmail, bind, mail que >software (qpop)... I believe there are a couple of security holes in 2.2.2-RELEASE that would give root access to none wheel user... Have a look at the cvsup info at http://www.freebsd.org/handbook/handbook228.html#483 for instructions on how to stay current with 2.2-RELENG. ---Mike