From owner-freebsd-security  Mon Jul 15 01:10:00 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id BAA14116
          for security-outgoing; Mon, 15 Jul 1996 01:10:00 -0700 (PDT)
Received: from dhp.com (dhp.com [199.245.105.1])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA14109
          for <freebsd-security@freebsd.org>; Mon, 15 Jul 1996 01:09:57 -0700 (PDT)
Received: (from jaeger@localhost) by dhp.com (8.7.5/8.6.12) id EAA02564; Mon, 15 Jul 1996 04:09:49 -0400
Date: Mon, 15 Jul 1996 04:09:48 -0400 (EDT)
From: jaeger <jaeger@dhp.com>
To: jbhunt <jbhunt@mercury.gaianet.net>
cc: freebsd-security@freebsd.org
Subject: Re: New EXPLOIT located!
In-Reply-To: <Pine.BSF.3.91.960714212321.1806A-300000@mercury.gaianet.net>
Message-ID: <Pine.LNX.3.91.960715040506.639A-100000@dhp.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


On Sun, 14 Jul 1996, jbhunt wrote:

> Ok, for almost 3 weeks now we at Gaianet have been tracking root hackers 
> around our box. FINALLY, today at about 3 pm one of them made a BIG BIG 
> mistake. Fortunately, for us I was around to watch what happened and kill 
> the user before he was able to erase his history files and the exploit 
> itself. So here are the files necessary to fix whatever hole this 
> exploits. We run Freebsd Current so it obviously makes most freebsd 
> systems vulnerable to a root attack. I appreciate any help you can offer.
> 
> John
> SysAdmin Gaianet

	This is the rdist overflow exploit posted to bugtraq a few days ago
by Brian Mitchell. No magic there ;>.
	Once again, your posting of the crackers history logs was very
informative.  It appears they were busy trading passwords on the IRC.  At
least he's adept enough at using find...

-jaeger