Date: Mon, 28 Jul 1997 12:29:43 -0700 (PDT) From: Vincent Poy <vince@mail.MCESTATE.COM> To: David Langford <langfod@dihelix.com> Cc: security@FreeBSD.ORG, mario1@PrimeNet.Com, johnnyu@accessus.net Subject: Re: security hole in FreeBSD Message-ID: <Pine.BSF.3.95.970728122545.3844j-100000@mail.MCESTATE.COM> In-Reply-To: <199707281830.IAA15209@caliban.dihelix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 28 Jul 1997, David Langford wrote: =)I recently caught a breakin faily simaliar. =)The perp replace /bin/login with one that would let them login =)to ANY account with a password of "lemmein". The login would NOT be logged =)and so it was very difficult to tell what was going on. Hmmm, I can understand this can be done if the user had access to the system in the first place which he did on the mercury machine but how did he do it on the earth machine? =)My only guess is that they used the old suidperl hack to get root. =)Supposedly this doesnt work on newer perl though. I supped the latest ports tree, build and install perl5.00401 and sperl5.00401 and deleted the perl5.003 and sperl5.003 in /usr/local/bin so it wasn't the old version of perl. =)My suggestion to you would be to get a clean source tree, recompile everything =)and install tripwire. I'll do that as soon as the machine comes back up. I heard that suid programs can be a problem too but which ones are required to be suid? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970728122545.3844j-100000>