> > I need some answers, badly. > > The OS was SunOS 4.1.3_U1B. The machine was a 4/470. > > A site I was helping on was broken in and maliciously destroyed the > other day (rendered un-login-able), apparantly via a hole I am unaware > of (thanks for nothing, security thru obscurity folks - the crackers DO > have information that is denied us 'ordinary' folks). This was a new > install, and it lasted about 4 days. One person heard thru the cracker > grapvine that root was broken thru /bin/mail. HOW?! The permissions- > fixing script from Sun had been run, plus things like arp, chill and > rdist were made unavailable to users (chmod o-rx). Rdist was replaced > by the fixed version and made unavailable for use to users (chmod o-rx). > The original passwd command was made mode 400, as well as yppasswd, and > a replacement passwd command was installed that didn't have the -F > option, or the chfn or chsh options. The C2conv script had also been > run. Sendmail was replaced by the newest version with all the fixes, > and bind 4.9.2 replaced the original nameserver, as well as its resolver > library. All programs replaced were renamed and made mode 400, owner > root. Newsyslog was also chown'd to root, and the chmod 666 $LOG was > changed to 644. /etc/utmp was also changed to mode 644. Without better > info, all the above work was a total waste of time. > > Can someone out there please infomrm me how these cracker types are getting > root privs, and how one can stop it short of disconnecting the machine? > And most important, how one can test for these vulnerabilities, and FIX > them. Is there a hole in /bin/mail? How does one test for it (I am working > on a port of net-2s /bin/mail replacement). Also, how can one prevent > anyone from being able to forge mail via the -f option? 8lgm posted a /bin/mail script that showed a vulnerability on Usenet and Sun responded a few weeks later with a patch. 8lgm showed with another script that their patch had not fixed the problem, but had made it worse. I do not believe Sun has since released another patch to fix the problem. This was like 3 months ago or more. So, maybe Sun has released a new patch for bin/mail, but I have been subscribed to sun's security patch mailing list and have not seen anything regarding a fix. -- Christopher William Klaus <cklaus@shadow.net> <iss@shadow.net> Internet Security Systems, Inc. Computer Security Consulting 2209 Summit Place Drive, Penetration Analysis of Networks Atlanta,GA 30350-2430. (404)518-0099. Fax: (404)518-0030