Date: Fri, 24 Jul 1998 09:33:14 +0100 (BST) From: Jay Tribick <netadmin@fastnet.co.uk> To: "Lee Crites (ASC)" <leec@adam.adonai.net> Cc: Garance A Drosihn <drosih@rpi.edu>, Drew Derbyshire <ahd@kew.com>, security@FreeBSD.ORG Subject: Re: hacked and don't know why Message-ID: <Pine.BSF.3.96.980724093213.21430M-100000@bofh.fast.net.uk> In-Reply-To: <Pine.BSF.3.96.980723231641.9874A-100000@adam.adonai.net>
next in thread | previous in thread | raw e-mail | index | archive | help
| =>That executable would see a few things about what privileges it | =>was running with before trying to do nasty things. No matter | =>what, it would then run the *real* program, so the user always | =>got the results that they were expecting to see. All the | =>*real* programs were buried in a non-obvious directory. So, | =>the nasty program would find out what path it was started up | =>as, and then just add /var/.hidden/non-obviousplace on to the | =>front of that pathname. So, the exact same executable could be | =>used to replace all executables in a given directory. | | This sounds exactly like what I was seeing. After I regained | some presense of mind I thought it would have been nice if I | could have checked for something like that. In fact, for all I | know, the "executable" I was looking at might have just been a | script. Okay, okay, a 180-something-k script might be a little | excessive, but the point is I have no idea what was there. I did | notice, though, that each command appeared to work properly even | though the command itself was exactly the same as all of the | other ones. Just thought I'd point out that it's quite possible this was a rootkit - if you look on your system you'll find a little-known about utility called crunchgen which can concatenate and compress multiple executables into one file. If you then do various symlinks to this file it will exec the appropriate function. RTFM - 'man crunchgen' :) Regards, Jay Tribick -- [| Network Administrator | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact information |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980724093213.21430M-100000>