From owner-freebsd-security  Thu Jul 23 21:19:50 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id VAA07828
          for freebsd-security-outgoing; Thu, 23 Jul 1998 21:19:50 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from adam.adonai.net (adam.adonai.net [207.8.83.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA07810
          for <security@FreeBSD.ORG>; Thu, 23 Jul 1998 21:19:41 -0700 (PDT)
          (envelope-from leec@adam.adonai.net)
Received: from localhost (leec@localhost)
	by adam.adonai.net (8.8.7/8.8.7) with SMTP id XAA09879;
	Thu, 23 Jul 1998 23:19:05 -0500 (CDT)
	(envelope-from leec@adam.adonai.net)
Date: Thu, 23 Jul 1998 23:19:05 -0500 (CDT)
From: "Lee Crites (ASC)" <leec@adam.adonai.net>
To: Garance A Drosihn <drosih@rpi.edu>
cc: Drew Derbyshire <ahd@kew.com>, security@FreeBSD.ORG
Subject: Re: hacked and don't know why
In-Reply-To: <v04011703b1dc263644f1@[128.113.24.47]>
Message-ID: <Pine.BSF.3.96.980723231641.9874A-100000@adam.adonai.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, 22 Jul 1998, Garance A Drosihn wrote:

=>That executable would see a few things about what privileges it
=>was running with before trying to do nasty things.  No matter
=>what, it would then run the *real* program, so the user always
=>got the results that they were expecting to see.  All the
=>*real* programs were buried in a non-obvious directory.  So,
=>the nasty program would find out what path it was started up
=>as, and then just add /var/.hidden/non-obviousplace on to the
=>front of that pathname.  So, the exact same executable could be
=>used to replace all executables in a given directory. 

This sounds exactly like what I was seeing.  After I regained
some presense of mind I thought it would have been nice if I
could have checked for something like that.  In fact, for all I
know, the "executable" I was looking at might have just been a
script.  Okay, okay, a 180-something-k script might be a little
excessive, but the point is I have no idea what was there.  I did
notice, though, that each command appeared to work properly even
though the command itself was exactly the same as all of the
other ones.

Lee

  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                       Lee Crites
       Adonai Services Company, Round Rock, Texas
  leec@adonai.net           http://www.adonai.net/~leec
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message