Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 28 Jul 1997 13:22:44 +0000 (GMT)
From:      "Jonathan A. Zdziarski" <jonz@netrail.net>
To:        Ollivier Robert <roberto@keltia.freenix.fr>
Cc:        security@FreeBSD.ORG
Subject:   Re: security hole in FreeBSD
Message-ID:  <Pine.BSF.3.95q.970728132145.4159A-100000@netrail.net>
In-Reply-To: <19970728171633.10794@keltia.freenix.fr>
next in thread | previous in thread | raw e-mail | index | archive | help 
I would check also /etc/inetd.conf to make sure he didn't set himself up
with a root-environment on some port, I know finger -P will let you run
for example a shell, and if it is set up as root, well... 


-------------------------------------------------------------------------
Jonathan A. Zdziarski                                NetRail Incorporated
Server Engineering Manager                    230 Peachtree St. Suite 500
jonz@netrail.net                                        Atlanta, GA 30303
http://www.netrail.net                                    (888) - NETRAIL
------------------------------------------------------------------------- 

On Mon, 28 Jul 1997, Ollivier Robert wrote:

:According to Vincent Poy:
:> 1) User on mercury machine complained about perl5 not working which was
:> perl5.003 since libmalloc lib it was linked to was missing.
:> 2) I recompiled the perl5 port from the ports tree and it's perl5.00403
:> and it works.
:
:I don't think he used perl to hack root unless you kept old versions of
:Perl4 and Perl5. The buffer overflows in Perl4 were plugged in May by
:Werner. 5.003+ holes are fixed in 5.004 and later.
:
:> 6) We went to inetd.conf and shut off all daemons except telnetd and 
:> rebooted and user still can get onto the machine invisibly.
:
:That shows that he has used a spare port to hook a root shell on. In these
:case, "netstat -a" or "lsof -i:TCP" will give you all connections,
:including those on which a program is LISTENing to. That way you'll catch
:any process left on a port.
:
:-- 
:Ollivier ROBERT -=- FreeBSD: There are no limits -=- roberto@keltia.freenix.fr
:FreeBSD keltia.freenix.fr 3.0-CURRENT #23: Sun Jul 20 18:10:34 CEST 1997
:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.970728132145.4159A-100000>