From owner-freebsd-security  Wed Jul 22 16:33:16 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA19233
          for freebsd-security-outgoing; Wed, 22 Jul 1998 16:33:16 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from mail1.its.rpi.edu (root@mail1.its.rpi.edu [128.113.100.7])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA19224
          for <security@FreeBSD.ORG>; Wed, 22 Jul 1998 16:33:13 -0700 (PDT)
          (envelope-from drosih@rpi.edu)
Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47])
	by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id TAA76314;
	Wed, 22 Jul 1998 19:32:45 -0400
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Sender: drosih@pop1.rpi.edu
Message-Id: <v04011703b1dc263644f1@[128.113.24.47]>
In-Reply-To: <199807221535.LAA03172@kendra.ne.mediaone.net>
References: <199807221453.IAA03997@lariat.lariat.org>
Date: Wed, 22 Jul 1998 19:36:41 -0400
To: Drew Derbyshire <ahd@kew.com>
From: Garance A Drosihn <drosih@rpi.edu>
Subject: Re: hacked and don't know why
Cc: security@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 11:35 AM -0400 7/22/98, Drew Derbyshire wrote:
> I did not see the corruption problems reported with the other QPOP
> attack; as I noted before, the visitors to my system were surgical
> in their wanton destruction, I think they wanted me to know they
> could done worse but didn't.

For what it's worth, a long time ago we had a break-in problem,
not on FreeBSD, where all the binaries in /usr/bin (or some other
common directories) were replaced with a single executable, and
all programs seemed to still work fine.

That executable would see a few things about what privileges it
was running with before trying to do nasty things.  No matter
what, it would then run the *real* program, so the user always
got the results that they were expecting to see.  All the *real*
programs were buried in a non-obvious directory.  So, the nasty
program would find out what path it was started up as, and then
just add /var/.hidden/non-obviousplace on to the front of that
pathname.  So, the exact same executable could be used to replace
all executables in a given directory.

We unhooked the machine from the network, learned what we could
about what had happened, and reformatted & rebuilt all the
information on the hard drive...

---
Garance Alistair Drosehn           =   gad@eclipse.its.rpi.edu
Senior Systems Programmer          or  drosih@rpi.edu
Rensselaer Polytechnic Institute

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message