Date: Mon, 28 Jul 1997 04:39:27 -0700 (PDT) From: Vincent Poy <vince@mail.MCESTATE.COM> To: Tomasz Dudziak <loco@onyks.wszib.poznan.pl> Cc: security@FreeBSD.ORG, "[Mario1-]" <mario1@PrimeNet.Com>, JbHunt <johnnyu@accessus.net> Subject: Re: security hole in FreeBSD Message-ID: <Pine.BSF.3.95.970728043652.3844F-100000@mail.MCESTATE.COM> In-Reply-To: <Pine.BSF.3.96.970728132413.397A-100000@onyks.wszib.poznan.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 28 Jul 1997, Tomasz Dudziak wrote:
=)On Mon, 28 Jul 1997, Vincent Poy wrote:
=)
=)> Greetings,
=)>
=)> We're had a hacker on two of our FreeBSD -current machines who
=)> hacked the machine as root.
=)>
=)> The symptoms are as follows:
=)> 1) User on mercury machine complained about perl5 not working which was
=)> perl5.003 since libmalloc lib it was linked to was missing.
=)> 2) I recompiled the perl5 port from the ports tree and it's perl5.00403
=)> and it works.
=)> 3) User hacks earth when he doesn't even have a account on the machine
=)> and can login to the machine remotely as root when rlogin and telnet
=)> wouldn't allow it.
=)> 4) User is invisible in w, finger, who, users and can only be seen using
=)> ps -agux on a pty so I killed the process.
=)> 5) User changes hostnames even in a netstat output so it's all garbage
=)> 6) We went to inetd.conf and shut off all daemons except telnetd and
=)> rebooted and user still can get onto the machine invisibly.
=)> 7) User shuts down the machine and changes root password
=)>
=)> Saw the user on irc posting the password of earth with the login
=)> name root. Any ideas?
=)
=)Well it is possible that he has recompiled /usr/bin/login for example.
=)Something like:
=)if(strcmp(username, "blahblah")==0)
=){
=)setuid(0);
=)setgid(0);
=)system("/bin/sh");
=)}
=)inserted does the job. You are then invisible to w and others... bot not
=)netstat i think...
He wasn't invisible to netstat but he did do something that faked
the hostname even in netstat.
=)There was a security hole some time ago in perl that allowed local users
=)to gain root access... That's probably the way he got root access...
=)I would check my binaries, sup and recompile.
Hmmm, I supped the perl from the most recent ports tree and also
all the binaries are about 2 months old from the -current tree. I thought
the security hole was way before that. What I didn't get is how did he
get access to the second system (earth) when he doesn't have a account
there in the first place?
Cheers,
Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____
Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ]
GaiaNet Corporation - M & C Estate / / / / | / | __] ]
Beverly Hills, California USA 90210 / / / / / |/ / | __] ]
HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970728043652.3844F-100000>