From owner-freebsd-isp Tue Dec 30 16:19:40 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id QAA10866 for isp-outgoing; Tue, 30 Dec 1997 16:19:40 -0800 (PST) (envelope-from owner-freebsd-isp) Received: from transbay.net (synergy.transbay.net [207.105.6.2]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id QAA10837; Tue, 30 Dec 1997 16:19:30 -0800 (PST) (envelope-from ecsd@transbay.net) Received: from synergy.transbay.net (synergy.transbay.net [207.105.6.2]) by transbay.net (8.8.5/8.8.5) with SMTP id QAA23838; Tue, 30 Dec 1997 16:19:47 -0800 (PST) Message-ID: <34A98FA3.42877E5C@transbay.net> Date: Tue, 30 Dec 1997 16:19:47 -0800 From: "Eric C. S. Dynamic" Organization: TransBay.Net X-Mailer: Mozilla 3.01Gold (X11; I; FreeBSD 2.2.1-RELEASE i386) MIME-Version: 1.0 To: isp@freebsd.org, security@freebsd.org CC: "Wut!?" Subject: Re: Two sources for system-cracking tools References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Mike wrote: > On Tue, 30 Dec 1997, Wut!? wrote: > > Yeah, Rootshell.com isn't very good with his information, and there is a > > very simple explanation why .. (He runs linux!).. > > [...]- saying "He runs linux" is an > explanation for poor logic is like saying [...] He (rootshell) got the data from somewhere, maybe it's wrong. No point in being bigoted against Linux. When I justify choosing FreeBSD over Linux I just tell people it's real BSD and that it has a reputation for being more robust, that we use it and there's only one kind. And I don't care to learn about another sorta-similar, sort-different system unless I have to (no time.) Meanwhile, I reported those two sources for hacker-stuff out as a notice (what land doc said of itself) and a question (does teardrop work if you're not using the firewall.) Someone hacked our system by creating an executable suid-root copy of /bin/sh in /tmp, and this is the second time someone's been able to do that, this time I discovered it about 12 minutes after the file was created, but I'd like to know "how they do that" and I'd like to plug the hole. The user I axed had a dozen-plus hack'em crack'em thingys lying around, for experimentation. Maybe one of them works, but which one? A lot of them try to manipulate the stack at a machine level, apparently. If the suid-root /bin/sh in /tmp rings a bell, let me know a countermeasure. Thanks.