From owner-freebsd-security Mon Jul 15 01:06:17 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA13894 for security-outgoing; Mon, 15 Jul 1996 01:06:17 -0700 (PDT) Received: from orion.webspan.net (root@orion.webspan.net [206.154.70.41]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA13884 for ; Mon, 15 Jul 1996 01:06:09 -0700 (PDT) Received: from localhost (gpalmer@localhost [127.0.0.1]) by orion.webspan.net (8.7.5/8.6.12) with SMTP id EAA01236; Mon, 15 Jul 1996 04:06:00 -0400 (EDT) X-Authentication-Warning: orion.webspan.net: Host gpalmer@localhost [127.0.0.1] didn't use HELO protocol To: jbhunt cc: freebsd-security@freebsd.org, root@mercury.gaianet.net From: "Gary Palmer" Subject: Re: New EXPLOIT located! In-reply-to: Your message of "Sun, 14 Jul 1996 23:52:43 PDT." Date: Mon, 15 Jul 1996 04:06:00 -0400 Message-ID: <1232.837417960@orion.webspan.net> Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk jbhunt wrote in message ID : > Ok, for almost 3 weeks now we at Gaianet have been tracking root hackers > around our box. FINALLY, today at about 3 pm one of them made a BIG BIG > mistake. Fortunately, for us I was around to watch what happened and kill > the user before he was able to erase his history files and the exploit > itself. So here are the files necessary to fix whatever hole this > exploits. We run Freebsd Current so it obviously makes most freebsd > systems vulnerable to a root attack. I appreciate any help you can offer. from the source supplied: --SNIP-- execl("/usr/bin/rdist", "rdist", "-d", buff, "-d", buff, NULL); --SNIP-- You *HAVE* applied the rdist patch(es), or better yet, DISABLED rdist totally, haven't you? Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info