From owner-freebsd-security Mon Jul 15 01:21:14 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id BAA14774 for security-outgoing; Mon, 15 Jul 1996 01:21:14 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA14769; Mon, 15 Jul 1996 01:21:10 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id BAA26136; Mon, 15 Jul 1996 01:21:07 -0700 (PDT) Date: Mon, 15 Jul 1996 01:21:07 -0700 (PDT) From: -Vince- To: Gary Palmer cc: jbhunt , freebsd-security@freebsd.org, root@mercury.gaianet.net Subject: Re: New EXPLOIT located! In-Reply-To: <1232.837417960@orion.webspan.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 15 Jul 1996, Gary Palmer wrote: > jbhunt wrote in message ID > : > > Ok, for almost 3 weeks now we at Gaianet have been tracking root hackers > > around our box. FINALLY, today at about 3 pm one of them made a BIG BIG > > mistake. Fortunately, for us I was around to watch what happened and kill > > the user before he was able to erase his history files and the exploit > > itself. So here are the files necessary to fix whatever hole this > > exploits. We run Freebsd Current so it obviously makes most freebsd > > systems vulnerable to a root attack. I appreciate any help you can offer. > > from the source supplied: > > --SNIP-- > execl("/usr/bin/rdist", "rdist", "-d", buff, "-d", buff, NULL); > --SNIP-- > > You *HAVE* applied the rdist patch(es), or better yet, DISABLED rdist > totally, haven't you? Only took out the setuid flag... Have the patches been applied to the latest -current since I just recompiled rdist from the latest -current sources... Vince