From owner-freebsd-hackers  Tue Jun 25 13:03:48 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id NAA09634
          for hackers-outgoing; Tue, 25 Jun 1996 13:03:48 -0700 (PDT)
Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA09613;
          Tue, 25 Jun 1996 13:03:43 -0700 (PDT)
Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id NAA11159; Tue, 25 Jun 1996 13:03:06 -0700 (PDT)
Date: Tue, 25 Jun 1996 13:03:06 -0700 (PDT)
From: -Vince- <vince@mercury.gaianet.net>
To: "Eric J. Schwertfeger" <ejs@bfd.com>
cc: Mark Murray <mark@grumble.grondar.za>, hackers@FreeBSD.ORG,
        security@FreeBSD.ORG, Chad Shackley <chad@mercury.gaianet.net>,
        jbhunt <jbhunt@mercury.gaianet.net>
Subject: Re: I need help on this one - please help me track this guy down! 
In-Reply-To: <Pine.BSI.3.94.960625073731.15315A-100000@harlie.bfd.com>
Message-ID: <Pine.BSF.3.91.960625130237.25073B-100000@mercury.gaianet.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Tue, 25 Jun 1996, Eric J. Schwertfeger wrote:

> On Tue, 25 Jun 1996, -Vince- wrote:
> 
> > 	Yeah, you have a point but jbhunt was watching the user as he 
> > hacked root since he brought the file from his own machine.... so that 
> > wasn't something the admin was tricked into doing..
> 
> Then the important question is, how did he move the file so that it
> retained the setuid bit?  We're already pretty sure that the program is
> only /bin/sh with the setuid bit turned on.  So either he found a way to
> move the file with the bit turned on, or he found a way to turn it on,
> which reqires root access.

	It was a remote login so he had to transfer it over somehow...

Vince