From owner-freebsd-security  Mon Jul 28 12:29:56 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id MAA26482
          for security-outgoing; Mon, 28 Jul 1997 12:29:56 -0700 (PDT)
Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA26466
          for <security@FreeBSD.ORG>; Mon, 28 Jul 1997 12:29:53 -0700 (PDT)
Received: from localhost (vince@localhost)
	by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id MAA05613;
	Mon, 28 Jul 1997 12:29:44 -0700 (PDT)
Date: Mon, 28 Jul 1997 12:29:43 -0700 (PDT)
From: Vincent Poy <vince@mail.MCESTATE.COM>
To: David Langford <langfod@dihelix.com>
cc: security@FreeBSD.ORG, mario1@PrimeNet.Com, johnnyu@accessus.net
Subject: Re: security hole in FreeBSD
In-Reply-To: <199707281830.IAA15209@caliban.dihelix.com>
Message-ID: <Pine.BSF.3.95.970728122545.3844j-100000@mail.MCESTATE.COM>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 28 Jul 1997, David Langford wrote:

=)I recently caught a breakin faily simaliar. 
=)The perp replace /bin/login with one that would let them login
=)to ANY account with a password of "lemmein". The login would NOT be logged
=)and so it was very difficult to tell what was going on.

	Hmmm, I can understand this can be done if the user had access to
the system in the first place which he did on the mercury machine but how
did he do it on the earth machine?

=)My only guess is that they used the old suidperl hack to get root. 
=)Supposedly this doesnt work on newer perl though.

	I supped the  latest ports tree, build and install perl5.00401 and
sperl5.00401 and deleted the perl5.003 and sperl5.003 in /usr/local/bin so
it wasn't the old version of perl.

=)My suggestion to you would be to get a clean source tree, recompile everything
=)and install tripwire.

	I'll do that as soon as the machine comes back up.  I heard that
suid programs can be a problem too but which ones are required to be suid?


Cheers,
Vince - vince@MCESTATE.COM - vince@GAIANET.NET           ________   __ ____ 
Unix Networking Operations - FreeBSD-Real Unix for Free / / / / |  / |[__  ]
GaiaNet Corporation - M & C Estate                     / / / /  | /  | __] ]  
Beverly Hills, California USA 90210                   / / / / / |/ / | __] ]
HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]