From owner-freebsd-hackers  Tue Jun 25 14:44:24 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id OAA24830
          for hackers-outgoing; Tue, 25 Jun 1996 14:44:24 -0700 (PDT)
Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id OAA24807
          for <hackers@FreeBSD.ORG>; Tue, 25 Jun 1996 14:44:18 -0700 (PDT)
Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id OAA00994; Tue, 25 Jun 1996 14:43:37 -0700
From: Terry Lambert <terry@lambert.org>
Message-Id: <199606252143.OAA00994@phaeton.artisoft.com>
Subject: Re: I need help on this one - please help me track this guy down!
To: alk@Think.COM (Tony Kimball)
Date: Tue, 25 Jun 1996 14:43:37 -0700 (MST)
Cc: jbhunt@mercury.gaianet.net, hackers@FreeBSD.ORG
In-Reply-To: <199606252116.QAA20467@compound.Think.COM> from "Tony Kimball" at Jun 25, 96 04:16:45 pm
X-Mailer: ELM [version 2.4 PL24]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

> I suggest inducing the user to repeat her exploit.  Take the system
> down.  Wipe the user's directory.  Bring it up, with a motd reporting
> a disk crash, and partial restoration.  Log everything the user does.
> 
> Or, you might just *ask*.  Most folks who hack a random ISP system do
> it for fun, and love to brag about it.

rcp preserves suid/sgid on the target system.  Now look for a writeable
sticky directory...


					Terry Lambert
					terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.