Date: Thu, 23 Jul 1998 23:19:05 -0500 (CDT) From: "Lee Crites (ASC)" <leec@adam.adonai.net> To: Garance A Drosihn <drosih@rpi.edu> Cc: Drew Derbyshire <ahd@kew.com>, security@FreeBSD.ORG Subject: Re: hacked and don't know why Message-ID: <Pine.BSF.3.96.980723231641.9874A-100000@adam.adonai.net> In-Reply-To: <v04011703b1dc263644f1@[128.113.24.47]>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 22 Jul 1998, Garance A Drosihn wrote:
=>That executable would see a few things about what privileges it
=>was running with before trying to do nasty things. No matter
=>what, it would then run the *real* program, so the user always
=>got the results that they were expecting to see. All the
=>*real* programs were buried in a non-obvious directory. So,
=>the nasty program would find out what path it was started up
=>as, and then just add /var/.hidden/non-obviousplace on to the
=>front of that pathname. So, the exact same executable could be
=>used to replace all executables in a given directory.
This sounds exactly like what I was seeing. After I regained
some presense of mind I thought it would have been nice if I
could have checked for something like that. In fact, for all I
know, the "executable" I was looking at might have just been a
script. Okay, okay, a 180-something-k script might be a little
excessive, but the point is I have no idea what was there. I did
notice, though, that each command appeared to work properly even
though the command itself was exactly the same as all of the
other ones.
Lee
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Lee Crites
Adonai Services Company, Round Rock, Texas
leec@adonai.net http://www.adonai.net/~leec
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980723231641.9874A-100000>