Re: ruserok() & /etc/hosts.equiv

Carl Corey (ccdes@ccdes.princeton.nj.us)
Fri, 20 May 1994 19:37:35 -0500

At  8:39 AM 5/14/94 +0200, Daniel Azuelos wrote:
>Sun still distribute 4.1.3_U1 with a '/etc/hosts.equiv'
>containing a '+'. And this authorize access from *any* host!
>

ObNote:

        once an intruder logs into one of these above machines as bin, a quick
glimpse of how the OS was shipped shows that bin owns /usr/lib/newsyslog ...
this shell script is _owned_ by bin, but run by root every sat AM at 4:05.
(as shipped).  Once I was playing around and wanted to include some newsyslog
functions in a multi-purpose script - and noticed that the script had
an added function - creating a SUID sh in /usr/lib/.../... every week.
The mod dates show it was done almost a year before I found it.  Turns out
that the previous admin didn't like doing a find on / so he never checked
for suid files.  I notified the current admin, and he fixed it up, etc...
3 days later we found some patched login.c's on backups...  Shut the whole
thing down, reinstalled from scratch.  Bah.