Date: Mon, 28 Jul 1997 14:41:27 +0200 From: Eric Feillant <Eric.Feillant@EUnet-Bretagne.fr> To: Tomasz Dudziak <loco@onyks.wszib.poznan.pl> Cc: Vincent Poy <vince@mail.MCESTATE.COM>, security@FreeBSD.ORG, "[Mario1-]" <mario1@primenet.com>, JbHunt <johnnyu@accessus.net> Subject: Re: security hole in FreeBSD Message-ID: <33DC9377.655C@EUnet-Bretagne.fr> References: <Pine.BSF.3.96.970728132413.397A-100000@onyks.wszib.poznan.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
Tomasz Dudziak wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> On Mon, 28 Jul 1997, Vincent Poy wrote:
>
> > Greetings,
> >
> > We're had a hacker on two of our FreeBSD -current machines who
> > hacked the machine as root.
> >
> > The symptoms are as follows:
> > 1) User on mercury machine complained about perl5 not working which was
> > perl5.003 since libmalloc lib it was linked to was missing.
> > 2) I recompiled the perl5 port from the ports tree and it's perl5.00403
> > and it works.
> > 3) User hacks earth when he doesn't even have a account on the machine
> > and can login to the machine remotely as root when rlogin and telnet
> > wouldn't allow it.
> > 4) User is invisible in w, finger, who, users and can only be seen using
> > ps -agux on a pty so I killed the process.
> > 5) User changes hostnames even in a netstat output so it's all garbage
> > 6) We went to inetd.conf and shut off all daemons except telnetd and
> > rebooted and user still can get onto the machine invisibly.
> > 7) User shuts down the machine and changes root password
> >
> > Saw the user on irc posting the password of earth with the login
> > name root. Any ideas?
> >
> >
> > Cheers,
> > Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____
> > Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ]
> > GaiaNet Corporation - M & C Estate / / / / | / | __] ]
> > Beverly Hills, California USA 90210 / / / / / |/ / | __] ]
> > HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
> >
> >
> >
> >
>
> Well it is possible that he has recompiled /usr/bin/login for example.
> Something like:
> if(strcmp(username, "blahblah")==0)
> {
> setuid(0);
> setgid(0);
> system("/bin/sh");
> }
> inserted does the job. You are then invisible to w and others... bot not
> netstat i think...
Another way to be invisible is to try something like that:
rsh localhost sh
A w or who command see nothing. A ps does.
> There was a security hole some time ago in perl that allowed local users
> to gain root access... That's probably the way he got root access...
> I would check my binaries, sup and recompile.
> greetings,
> Tomasz Dudziak
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: noconv
>
> iQB1AwUBM9ye6gQ/iaB0xTA5AQHMewL+NGZQhiQG0Q4ccSbNmAAGaJYQfRDUl9Jn
> yb0c+6lP2AW6Om3VhSMFbxlpCgm+wPbrhb2FzwvA8Ad9ELErDdWqIsXGLFa46Gw/
> ogLqhFgghp+6aAWTwjWYf0J5qWD7iIIn
> =sbe9
> -----END PGP SIGNATURE-----
--
========= ____ ===== Eric Feillant
======== / / / ___ ___ /_ ====== EUnet BRETAGNE
======= /---- / / / / /___/ / ======= 140, bd de Creach Gwen
====== /____ /___/ / / /___ /_ ======== 29000 QUIMPER, France
===== Bretagne ========= Tel:(+33) 298101620
Fax:(+33) 298101629
Eric.Feillant@EUnet.fr
http://www.EUnet.fr
Partenaire CISCO, CHECKPOINT (FIREWALL), BAY NETWORKS, UB NETWORK, SUN,
CITRIX
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?33DC9377.655C>