From owner-freebsd-hackers  Wed Jun 26 00:25:35 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id AAA14533
          for hackers-outgoing; Wed, 26 Jun 1996 00:25:35 -0700 (PDT)
Received: from proxy.siemens.at (proxy.siemens.at [192.138.228.19])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id AAA14467
          for <hackers@freebsd.org>; Wed, 26 Jun 1996 00:24:45 -0700 (PDT)
Received: from sol1.gud.siemens.co.at (sol-f.gud.siemens-austria) by proxy.siemens.at with SMTP id AA27221
  (5.67a/IDA-1.5 for <hackers@freebsd.org>); Wed, 26 Jun 1996 09:23:55 +0200
Received: from ws2301.gud.siemens.co.at by sol1.gud.siemens.co.at with smtp
	(Smail3.1.28.1 #7 for <hackers@freebsd.org>) 
	id m0uYox9-00021GC; Wed, 26 Jun 96 09:23 MET DST
Received: by ws2301.gud.siemens.co.at (1.37.109.16/1.37)
	id AA108163778; Wed, 26 Jun 1996 09:22:58 +0200
From: "Hr.Ladavac" <lada@ws2301.gud.siemens.co.at>
Message-Id: <199606260722.AA108163778@ws2301.gud.siemens.co.at>
Subject: Re: I need help on this one - please help me track this guy down!
To: terry@lambert.org (Terry Lambert)
Date: Wed, 26 Jun 1996 09:22:58 +0200 (MESZ)
Cc: alk@Think.COM, jbhunt@mercury.gaianet.net, hackers@freebsd.org
In-Reply-To: <199606252143.OAA00994@phaeton.artisoft.com> from "Terry Lambert" at Jun 25, 96 02:43:37 pm
X-Mailer: ELM [version 2.4 PL24 ME8a]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In his e-mail Terry Lambert wrote:
> > I suggest inducing the user to repeat her exploit.  Take the system
> > down.  Wipe the user's directory.  Bring it up, with a motd reporting
> > a disk crash, and partial restoration.  Log everything the user does.
> > 
> > Or, you might just *ask*.  Most folks who hack a random ISP system do
> > it for fun, and love to brag about it.
> 
> rcp preserves suid/sgid on the target system.  Now look for a writeable
> sticky directory...

Ten dollar gets you one it's called /tmp ...  No wonder people mount
/var as nosuid noexec nodev and link /tmp to /var/tmp :)

/Marino

PS: you sure about rcp?  (I'm gonna try it anyway :)
> 
> 
> 					Terry Lambert
> 					terry@lambert.org
> ---
> Any opinions in this posting are my own and not those of my present
> or previous employers.
>