At 8:39 AM 5/14/94 +0200, Daniel Azuelos wrote: >Sun still distribute 4.1.3_U1 with a '/etc/hosts.equiv' >containing a '+'. And this authorize access from *any* host! > ObNote: once an intruder logs into one of these above machines as bin, a quick glimpse of how the OS was shipped shows that bin owns /usr/lib/newsyslog ... this shell script is _owned_ by bin, but run by root every sat AM at 4:05. (as shipped). Once I was playing around and wanted to include some newsyslog functions in a multi-purpose script - and noticed that the script had an added function - creating a SUID sh in /usr/lib/.../... every week. The mod dates show it was done almost a year before I found it. Turns out that the previous admin didn't like doing a find on / so he never checked for suid files. I notified the current admin, and he fixed it up, etc... 3 days later we found some patched login.c's on backups... Shut the whole thing down, reinstalled from scratch. Bah.