From owner-freebsd-security Mon Jul 28 12:29:56 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA26482 for security-outgoing; Mon, 28 Jul 1997 12:29:56 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA26466 for ; Mon, 28 Jul 1997 12:29:53 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id MAA05613; Mon, 28 Jul 1997 12:29:44 -0700 (PDT) Date: Mon, 28 Jul 1997 12:29:43 -0700 (PDT) From: Vincent Poy To: David Langford cc: security@FreeBSD.ORG, mario1@PrimeNet.Com, johnnyu@accessus.net Subject: Re: security hole in FreeBSD In-Reply-To: <199707281830.IAA15209@caliban.dihelix.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, David Langford wrote: =)I recently caught a breakin faily simaliar. =)The perp replace /bin/login with one that would let them login =)to ANY account with a password of "lemmein". The login would NOT be logged =)and so it was very difficult to tell what was going on. Hmmm, I can understand this can be done if the user had access to the system in the first place which he did on the mercury machine but how did he do it on the earth machine? =)My only guess is that they used the old suidperl hack to get root. =)Supposedly this doesnt work on newer perl though. I supped the latest ports tree, build and install perl5.00401 and sperl5.00401 and deleted the perl5.003 and sperl5.003 in /usr/local/bin so it wasn't the old version of perl. =)My suggestion to you would be to get a clean source tree, recompile everything =)and install tripwire. I'll do that as soon as the machine comes back up. I heard that suid programs can be a problem too but which ones are required to be suid? Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]