Date: Wed, 22 Jul 1998 19:36:41 -0400 From: Garance A Drosihn <drosih@rpi.edu> To: Drew Derbyshire <ahd@kew.com> Cc: security@FreeBSD.ORG Subject: Re: hacked and don't know why Message-ID: <v04011703b1dc263644f1@[128.113.24.47]> In-Reply-To: <199807221535.LAA03172@kendra.ne.mediaone.net> References: <199807221453.IAA03997@lariat.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 11:35 AM -0400 7/22/98, Drew Derbyshire wrote: > I did not see the corruption problems reported with the other QPOP > attack; as I noted before, the visitors to my system were surgical > in their wanton destruction, I think they wanted me to know they > could done worse but didn't. For what it's worth, a long time ago we had a break-in problem, not on FreeBSD, where all the binaries in /usr/bin (or some other common directories) were replaced with a single executable, and all programs seemed to still work fine. That executable would see a few things about what privileges it was running with before trying to do nasty things. No matter what, it would then run the *real* program, so the user always got the results that they were expecting to see. All the *real* programs were buried in a non-obvious directory. So, the nasty program would find out what path it was started up as, and then just add /var/.hidden/non-obviousplace on to the front of that pathname. So, the exact same executable could be used to replace all executables in a given directory. We unhooked the machine from the network, learned what we could about what had happened, and reformatted & rebuilt all the information on the hard drive... --- Garance Alistair Drosehn = gad@eclipse.its.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v04011703b1dc263644f1>