Return-Path: Received: from grand-central-station.MIT.EDU by po12.mit.edu (8.9.2/4.7) id HAA04033; Thu, 8 Feb 2001 07:59:15 -0500 (EST) Received: from melbourne-city-street.MIT.EDU (MELBOURNE-CITY-STREET.MIT.EDU [18.69.0.45]) by grand-central-station.MIT.EDU (8.9.2/8.9.2) with ESMTP id HAA21399 for ; Thu, 8 Feb 2001 07:59:14 -0500 (EST) Received: from tiramisu.lcs.mit.edu (tiramisu.lcs.mit.edu [18.26.4.96]) by melbourne-city-street.MIT.EDU (8.9.3/8.9.2) with ESMTP id HAA12951 for ; Thu, 8 Feb 2001 07:59:14 -0500 (EST) Received: by tiramisu.lcs.mit.edu (8.8.7/4.7) id HAA19645; Thu, 8 Feb 2001 07:59:16 -0500 Message-Id: <200102081259.HAA19645@tiramisu.lcs.mit.edu> To: security-internal@MIT.EDU Subject: John Jannotti: I was almost 0wn3d! Date: Thu, 08 Feb 2001 07:59:16 EST From: Kevin Fu X-Evolution: 00000081-0000 fyi, bind is being actively exploited on campus now. -------- Kevin E. Fu (fubob@mit.edu) PGP key: https://snafu.fooworld.org/~fubob/pgp.html ------- Forwarded Message To: "Kevin E. Fu" , fdabek@MIT.EDU Subject: I was almost 0wn3d! From: John Jannotti Date: 08 Feb 2001 06:22:18 -0500 I was nearly owned. Someone exploited bind to run commands as the named user. Fortunately that's "named" on my system. But they then ran a suidperl exploit that supposedly takes advantage of a race condition to get a local user a root shell. That's when I magically woke up at 5:30am and noticed my load spiked. I killed everything before it succeeded (as evidenced by the intended root shell still being owned by named and not suid). I have the suidperl "exploit" (maybe it doesn't even work) detritus laying around if either of you are interested. Checking timestamps it looks like it was running for 4 hrs without yielding a root shell, possibly because my laptop is slow. I've upgraded bind on both my machines. jj ------- End of Forwarded Message