From owner-freebsd-security Mon Jul 28 04:40:00 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id EAA24497 for security-outgoing; Mon, 28 Jul 1997 04:40:00 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA24492 for ; Mon, 28 Jul 1997 04:39:58 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id EAA04068; Mon, 28 Jul 1997 04:39:28 -0700 (PDT) Date: Mon, 28 Jul 1997 04:39:27 -0700 (PDT) From: Vincent Poy To: Tomasz Dudziak cc: security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Tomasz Dudziak wrote: =)On Mon, 28 Jul 1997, Vincent Poy wrote: =) =)> Greetings, =)> =)> We're had a hacker on two of our FreeBSD -current machines who =)> hacked the machine as root. =)> =)> The symptoms are as follows: =)> 1) User on mercury machine complained about perl5 not working which was =)> perl5.003 since libmalloc lib it was linked to was missing. =)> 2) I recompiled the perl5 port from the ports tree and it's perl5.00403 =)> and it works. =)> 3) User hacks earth when he doesn't even have a account on the machine =)> and can login to the machine remotely as root when rlogin and telnet =)> wouldn't allow it. =)> 4) User is invisible in w, finger, who, users and can only be seen using =)> ps -agux on a pty so I killed the process. =)> 5) User changes hostnames even in a netstat output so it's all garbage =)> 6) We went to inetd.conf and shut off all daemons except telnetd and =)> rebooted and user still can get onto the machine invisibly. =)> 7) User shuts down the machine and changes root password =)> =)> Saw the user on irc posting the password of earth with the login =)> name root. Any ideas? =) =)Well it is possible that he has recompiled /usr/bin/login for example. =)Something like: =)if(strcmp(username, "blahblah")==0) =){ =)setuid(0); =)setgid(0); =)system("/bin/sh"); =)} =)inserted does the job. You are then invisible to w and others... bot not =)netstat i think... He wasn't invisible to netstat but he did do something that faked the hostname even in netstat. =)There was a security hole some time ago in perl that allowed local users =)to gain root access... That's probably the way he got root access... =)I would check my binaries, sup and recompile. Hmmm, I supped the perl from the most recent ports tree and also all the binaries are about 2 months old from the -current tree. I thought the security hole was way before that. What I didn't get is how did he get access to the second system (earth) when he doesn't have a account there in the first place? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]