From owner-freebsd-security  Mon Jul 28 11:31:12 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id LAA23160
          for security-outgoing; Mon, 28 Jul 1997 11:31:12 -0700 (PDT)
Received: from caliban.dihelix.com (caliban.dihelix.com [198.180.136.138])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA23149
          for <security@FreeBSD.ORG>; Mon, 28 Jul 1997 11:31:07 -0700 (PDT)
Received: (from langfod@localhost) by caliban.dihelix.com (8.8.6/8.8.3) id IAA15209; Mon, 28 Jul 1997 08:30:49 -1000 (HST)
Message-Id: <199707281830.IAA15209@caliban.dihelix.com>
Subject: Re: security hole in FreeBSD
In-Reply-To: <Pine.BSF.3.95.970728031228.3844A-100000@mail.MCESTATE.COM> from Vincent Poy at "Jul 28, 97 03:19:55 am"
To: vince@mail.MCESTATE.COM (Vincent Poy)
Date: Mon, 28 Jul 1997 08:30:48 -1000 (HST)
Cc: security@FreeBSD.ORG, mario1@PrimeNet.Com, johnnyu@accessus.net
From: "David Langford" <langfod@dihelix.com>
X-blank-line: This space intentionaly left blank.
X-Mailer: ELM [version 2.4ME+ PL31 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

I recently caught a breakin faily simaliar. 
The perp replace /bin/login with one that would let them login
to ANY account with a password of "lemmein". The login would NOT be logged
and so it was very difficult to tell what was going on.

My only guess is that they used the old suidperl hack to get root.
Supposedly this doesnt work on newer perl though.

My suggestion to you would be to get a clean source tree, recompile everything
and install tripwire.

-David Langford
 langfod@dihelix.com

>The symptoms are as follows:
>1) User on mercury machine complained about perl5 not working which was
>perl5.003 since libmalloc lib it was linked to was missing.
>2) I recompiled the perl5 port from the ports tree and it's perl5.00403
>and it works.
>3) User hacks earth when he doesn't even have a account on the machine
>and can login to the machine remotely as root when rlogin and telnet
>wouldn't allow it.  
>4) User is invisible in w, finger, who, users and can only be seen using
>ps -agux on a pty so I killed the process.
>5) User changes hostnames even in a netstat output so it's all garbage
>6) We went to inetd.conf and shut off all daemons except telnetd and 
>rebooted and user still can get onto the machine invisibly.
>7) User shuts down the machine and changes root password
>
>	Saw the user on irc posting the password of earth with the login
>name root.  Any ideas?
>
>
>Cheers,
>Vince - vince@MCESTATE.COM - vince@GAIANET.NET           ________   __ ____ 
>Unix Networking Operations - FreeBSD-Real Unix for Free / / / / |  / |[__  ]
>GaiaNet Corporation - M & C Estate                     / / / /  | /  | __] ]  
>Beverly Hills, California USA 90210                   / / / / / |/ / | __] ]
>HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
>
>
>
>