From owner-freebsd-hackers  Fri Aug  1 17:15:36 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id RAA21043
          for hackers-outgoing; Fri, 1 Aug 1997 17:15:36 -0700 (PDT)
Received: from misery.sdf.com (misery.sdf.com [204.244.210.193])
          by hub.freebsd.org (8.8.5/8.8.5) with SMTP id RAA21037
          for <hackers@freebsd.org>; Fri, 1 Aug 1997 17:15:33 -0700 (PDT)
Received: from tom by misery.sdf.com with smtp (Exim 1.62 #1)
	id 0wuRqq-00029H-00; Fri, 1 Aug 1997 17:15:20 -0700
Date: Fri, 1 Aug 1997 17:15:19 -0700 (PDT)
From: Tom Samplonius <tom@sdf.com>
To: Dan Riley <daniel@vailsys.com>
cc: Sergio Lenzi <lenzi@bsi.com.br>, hackers@freebsd.org
Subject: Re: security hole on FreeBSD 2.2.2
In-Reply-To: <Pine.BSF.3.91.970801185128.6383A-100000@crocodile>
Message-ID: <Pine.BSF.3.95q.970801171241.8042A-100000@misery.sdf.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


On Fri, 1 Aug 1997, Dan Riley wrote:

> 
> 
> On Fri, 1 Aug 1997, Sergio Lenzi wrote:
> 
> > 
> > 
> >    
> > Hello all 
> > 
> > Forgive me to send this message on this list.
> > 
> > There is a security hole on FreeBSD 2.2.2
> > 
> > This is done using a script and a superl* on /usr/bin
> > 
> > A friend of mine received root priority by telneting to my machine (2.2.2)
> > and executing a perl script.
> > 
> > My solution: remove /usr/bin/superl*
> > 
> > Hope this can helphelp
> > 
> 
> Ditto, at least 3 of my machines were hacked using this method, all of 
> which were installed last week. (2.2.2-R)
> 
> 
> 

  Huh?  I'm looking at /usr/bin/ on couple of 2.2.2 machines and there is
no superl*... what is that file supposed to be anyhow?

  Are you sure you did not install from a tainted distribution that had a
backdoor installed?  Or, were you fooled in running a trojan horse as root
and it created the superl* file?


Tom