Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 28 Jul 1997 12:49:00 -0700 (PDT)
From:      Vincent Poy <vince@mail.MCESTATE.COM>
To:        Ollivier Robert <roberto@keltia.freenix.fr>
Cc:        security@FreeBSD.ORG, JbHunt <johnnyu@accessus.net>, "[Mario1-]" <mario1@PrimeNet.Com>
Subject:   Re: security hole in FreeBSD
Message-ID:  <Pine.BSF.3.95.970728124603.3844p-100000@mail.MCESTATE.COM>
In-Reply-To: <19970728171633.10794@keltia.freenix.fr>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 28 Jul 1997, Ollivier Robert wrote:

=)According to Vincent Poy:
=)> 1) User on mercury machine complained about perl5 not working which was
=)> perl5.003 since libmalloc lib it was linked to was missing.
=)> 2) I recompiled the perl5 port from the ports tree and it's perl5.00403
=)> and it works.
=)
=)I don't think he used perl to hack root unless you kept old versions of
=)Perl4 and Perl5. The buffer overflows in Perl4 were plugged in May by
=)Werner. 5.003+ holes are fixed in 5.004 and later.

	Nope, when I added perl5 yesterday from the ports tree, I deleted
the perl5.003 and sperl5.003 that was there after it got updated to
perl5.00401 and sperl5.00401.  Is the /usr/bin/perl vulnerable in any way?

=)> 6) We went to inetd.conf and shut off all daemons except telnetd and 
=)> rebooted and user still can get onto the machine invisibly.
=)
=)That shows that he has used a spare port to hook a root shell on. In these
=)case, "netstat -a" or "lsof -i:TCP" will give you all connections,
=)including those on which a program is LISTENing to. That way you'll catch
=)any process left on a port.

	True but netstat wasn't working anymore after we kicked him off
the first time and rejected all packets from his ip # when he came back
on.


Cheers,
Vince - vince@MCESTATE.COM - vince@GAIANET.NET           ________   __ ____ 
Unix Networking Operations - FreeBSD-Real Unix for Free / / / / |  / |[__  ]
GaiaNet Corporation - M & C Estate                     / / / /  | /  | __] ]  
Beverly Hills, California USA 90210                   / / / / / |/ / | __] ]
HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970728124603.3844p-100000>