From owner-freebsd-security Tue Dec 10 06:38:10 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id GAA04838 for security-outgoing; Tue, 10 Dec 1996 06:38:10 -0800 (PST) Received: from freebsd.netcom.com (freebsd.netcom.com [198.211.79.3]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id GAA04832 for ; Tue, 10 Dec 1996 06:38:07 -0800 (PST) Received: by freebsd.netcom.com (8.6.12/SMI-4.1) id IAA24062; Tue, 10 Dec 1996 08:36:49 -0600 From: bugs@freebsd.netcom.com (Mark Hittinger) Message-Id: <199612101436.IAA24062@freebsd.netcom.com> Subject: Re: URGENT: Packet sniffer found on my system To: taob@io.org (Brian Tao) Date: Tue, 10 Dec 1996 08:36:49 -0600 (CST) Cc: freebsd-security@freebsd.org In-Reply-To: from "Brian Tao" at Dec 10, 96 00:15:52 am X-Mailer: ELM [version 2.4 PL25] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > all but six setuid root binaries chmod 500'd. The Web/FTP server does > not grant shell access. Is there something with Apache 1.1.1 or > wu-ftpd I don't know about that allows a user to execute arbitrary > code as root? I noticed lpr still had its setuid bit on the FTP > server, but afaik, there is no way to tell wu-ftpd to run arbitrary > programs as root. We are running wu-ftpd 2.4(1). > Any ideas how root access was available so easily? The wu-ftpd looks a little old - it probably does not have Hobbit's fixes in it. You might want to get the beta-11 of wu-ftpd and put that up. The beta-11 incorporates Hobbit's fixes. Look at cgiwrap for the cgi's on the apache server, look at hacking ftpd to chroot. Make sure users can't create .forward or .rhost files in their ftp directory. Get rid of hosts.equiv - make sure the rlogin/rsh/rcp stuff is disabled. Look at secure rpcbind from ftp.cert.org. Good luck. Regards, Mark Hittinger Netcom/Dallas bugs@freebsd.netcom.com