Security Incidents mailing list archives

vi as a suid

From: prrar () NITNET COM BR (Paulo Ribeiro)
Date: Tue, 8 Feb 2000 20:32:45 -0200


A friend of mine told me he was having some 'security problems' and
asked me to take a look at his system and see what's going on. He's
using a Red Hat 5.2 Linux.

As I logged into the system, I searched for some backdoors and SUIDs,
GUIDs, etc and look what I've found:

$ ls -la /bin/vi
-rwsrwsrwt   1 root     root        11710 Jan  9 19:32 /bin/vi
$ /bin/vi
:!/bin/sh
# exit

And after checking his servers, I found out that the intruder had broken
into his system by his ftp server and he (the intruder :) had left some
backdoors.

--
Paulo Ribeiro.

Current thread:

massive unapproved AXFR's and odd rcvd NOTIFY's, (continued)
- - - massive unapproved AXFR's and odd rcvd NOTIFY's Paul Wouters (Feb 09)
    - Re: massive unapproved AXFR's and odd rcvd NOTIFY's Francis A. Vidal (Feb 09)
    - [UPDATE]Dos Trojan on Solaris Roderick Padilla (Feb 09)
    - Re: [UPDATE]Dos Trojan on Solaris Ross Mueller (Feb 09)
    - a very strange scan Boris Badenov (Feb 09)
    - Re: a very strange scan Russell Fulton (Feb 10)
    - Possible stacheldraht variant/probe Stephen P. Berry (Feb 09)
    - Re: Possible stacheldraht variant/probe David Brumley (Feb 10)
    - Re: [UPDATE]Dos Trojan on Solaris Robert Lau (Feb 09)
    - Re: Strange traceroute Rob Quinn (Feb 08)
    - vi as a suid Paulo Ribeiro (Feb 08)
  - Re: Strange traceroute Troy Ablan (Feb 05)
    - Re: Strange traceroute Hauke Johannknecht (Feb 08)
  - sendmail vunerability ? E Kelly Bond (Feb 05)
    - Re: sendmail vunerability ? CyberPsychotic (Feb 07)
    - Re: sendmail vunerability ? H D Moore (Feb 10)