From owner-freebsd-security Tue Dec 10 17:47:08 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id RAA23323 for security-outgoing; Tue, 10 Dec 1996 17:47:08 -0800 (PST) Received: from ican.net (ican.net [198.133.36.9]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id RAA23318 for ; Tue, 10 Dec 1996 17:47:06 -0800 (PST) Received: from gate.ican.net(really [198.133.36.2]) by ican.net via sendmail with esmtp id for ; Tue, 10 Dec 1996 20:47:04 -0500 (EST) (Smail-3.2 1996-Jul-4 #1 built 1996-Jul-10) Received: (from smap@localhost) by gate.ican.net (8.7.5/8.7.3) id UAA23089; Tue, 10 Dec 1996 20:43:46 -0500 (EST) Received: from nap.io.org(10.1.1.3) by gate.ican.net via smap (V1.3) id sma023087; Tue Dec 10 20:43:43 1996 Received: from localhost (taob@localhost) by nap.io.org (8.7.5/8.7.3) with SMTP id UAA10163; Tue, 10 Dec 1996 20:40:46 -0500 (EST) X-Authentication-Warning: nap.io.org: taob owned process doing -bs Date: Tue, 10 Dec 1996 20:40:46 -0500 (EST) From: Brian Tao To: Brian Mitchell cc: FREEBSD-SECURITY-L Subject: Re: URGENT: Packet sniffer found on my system In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 10 Dec 1996, Brian Mitchell wrote: > > I'm not sure it is wise to announce to the world that you are not running > a tripwire-style program. Now I didn't say *that*. I just said I would like to have something like tripwire to automate this for me, instead of diffing md5 output via a script I cobbled together. ;-) MD5 checksums of all files checked out (binaries, libs, lkms, scripts, etc.), including /sbin/md5 itself. There were no regular files in /dev other than MAKEDEV and MAKEDEV.local (a favourite hiding place for rootkit config files). No unexpected setuid executables have been found on any of the affected servers. I did find the following three files on one of the shell servers, which suggests the original compromise started there: -rw-r--r-- speff/user 2363 Dec 1 17:37 1996 usr/include/net/nit_buf.h -rw-r--r-- speff/user 2628 Dec 1 17:37 1996 usr/include/net/nit_if.h -rw-r--r-- speff/user 3016 Dec 1 17:37 1996 usr/include/sys/stropts.h The date on the files is worrisome: they are over a week old. The packet sniffer binaries and logs were no more than 24 hours old when I discovered them though, so I'm crossing my fingers and hoping he hasn't been watching packets longer than that. Thank god all our root sessions are done through end-to-end encrypted connections... -- Brian Tao (BT300, taob@io.org, taob@ican.net) Senior Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't"