Date: Tue, 25 Jun 1996 09:53:11 -0700 (PDT) From: Arlen Fletcher <fletcher@paccar.com> To: security@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <199606251653.JAA09261@mugwump.paccar.com>
next in thread | raw e-mail | index | archive | help
At 08:43 AM 6/25/96 -0700, you wrote: >On Tue, 25 Jun 1996, Michael Smith wrote: > [snip] >Ok, this is jb. First off all this copied from here to their as root >didn't happen. I gave this fella an account knowing more than likely if >we had a hole he would find it. Unfortunately I wasn't watching his tty >when he actually used whatever exploit he used. He obviously used a >setuid exploit so I suggest that there is a New exploit out abusing a >setuid program somewhere on the system because I know vince fixed the >mount_union and current fixed the old ypwhich hack. Or actually maybe not >so old for some of you, but either way I did have to give him an account >before he could do anything. However, once inside it took him 2 minutes >and he was root. I know for a fact it was his FIRST look inside the Did you by any chance check the history file? I presume he vaporized it, but you never know.... Of course it's 20/20 hindsight, but copying the history file somewhere else when you see a user doing something bizarre (like becomming root) might be worth thinking about in the future. ----------------------------------------------------------------- Opinions expressed in this message are mine and not necessarily those of my employer. ----------------------------------------------------------------- Arlen Fletcher N7YIM fletcher@paccar.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606251653.JAA09261>