From owner-freebsd-security  Sat Feb 24 14:10:46 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id OAA22808
          for security-outgoing; Sat, 24 Feb 1996 14:10:46 -0800 (PST)
Received: from zap.io.org (root@zap.io.org [198.133.36.81])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id OAA22780
          for <freebsd-security@freebsd.org>; Sat, 24 Feb 1996 14:10:42 -0800 (PST)
Received: (from taob@localhost) by zap.io.org (8.6.12/8.6.12) id RAA00397; Sat, 24 Feb 1996 17:10:31 -0500
Date: Sat, 24 Feb 1996 17:10:31 -0500 (EST)
From: Brian Tao <taob@io.org>
To: FREEBSD-SECURITY-L <freebsd-security@freebsd.org>
Subject: Suspicious symlinks in /tmp
Message-ID: <Pine.BSF.3.91.960224170513.186B-100000@zap.io.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
Precedence: bulk

    I know I've read about this kind of hacking attempt before, but I
can't seem to locate the information I had on this particular style.
It looks like a botched attempt though, by someone who probably read
about this vulnerability in a cracker 'zine or CERT/8lgm/bugtraq
report.

# cd /tmp ; ls -l passwd*
lrwxrwxrwt   1 bin       user       21 Feb 24 17:04 passwd-link.19573 -> /tmp/passwd-dir.19573
lrwxrwxrwt   1 bin       user       21 Feb 24 17:04 passwd-link.20196 -> /tmp/passwd-dir.20196
lrwxrwxrwt   1 bin       user       21 Feb 24 17:04 passwd-link.20543 -> /tmp/passwd-dir.20543

    Could someone refresh my memory?
--
Brian Tao (BT300, taob@io.org)
Systems Administrator, Internex Online Inc.
"Though this be madness, yet there is method in't"