From owner-freebsd-security  Fri Jul 12 20:13:09 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id UAA02647
          for security-outgoing; Fri, 12 Jul 1996 20:13:09 -0700 (PDT)
Received: from dhp.com (dhp.com [199.245.105.1])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA02637
          for <freebsd-security@freebsd.org>; Fri, 12 Jul 1996 20:12:59 -0700 (PDT)
Received: (from jaeger@localhost) by dhp.com (8.7.5/8.6.12) id XAA14463; Fri, 12 Jul 1996 23:12:53 -0400
Date: Fri, 12 Jul 1996 23:12:48 -0400 (EDT)
From: jaeger <jaeger@dhp.com>
To: vince@mercury.gaianet.net
cc: freebsd-security@freebsd.org
Subject: Re: ROOT COMPROMISE
In-Reply-To: <Pine.BSF.3.91.960712114404.2779A-100000@mercury.gaianet.net>
Message-ID: <Pine.LNX.3.91.960712230445.10074A-100000@dhp.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

This has got to be some of the lamest cracking activity I've seen in a long
time, and I'd thought I'd seen it all ;>.  If this type of activity had
been going on unnoticed (Modifying root's .forward?? Incidentally, you
should probably use /etc/aliases for this..) then you could have been the
target of someone with more skill and never ever noticed.  I'd suggest some
type of security audit immediately...
	The chmod'ing of "bsdiexp" 6777 suggests an exploitation of the
recently discovered root hole in suidperl.  It could also be a backdoor root
shell; it isn't clear from the logs just what this is, exploit or backdoor.
	It's very refreshing to see actual cracking activity discussed. 
Excepting a few papers from years ago, Shimomura's excellent dissection of
the Christmas '94 attack on his box, and a few recent bits and pieces, the
white hats don't get to see much of the actual intruder activity that's
going on.  Please keep up the status reports :).

-jaeger