From owner-freebsd-security  Tue Dec 10 18:12:39 1996
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id SAA25691
          for security-outgoing; Tue, 10 Dec 1996 18:12:39 -0800 (PST)
Received: from ican.net (ican.net [198.133.36.9])
          by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id SAA25680
          for <freebsd-security@freebsd.org>; Tue, 10 Dec 1996 18:12:37 -0800 (PST)
Received: from gate.ican.net(really [198.133.36.2]) by ican.net
	via sendmail with esmtp
	id <m0vXeA0-000BKFC@ican.net>
	for <freebsd-security@freebsd.org>; Tue, 10 Dec 1996 21:12:36 -0500 (EST)
	(Smail-3.2 1996-Jul-4 #1 built 1996-Jul-10)
Received: (from smap@localhost) by gate.ican.net (8.7.5/8.7.3) id VAA23485; Tue, 10 Dec 1996 21:09:16 -0500 (EST)
Received: from nap.io.org(10.1.1.3) by gate.ican.net via smap (V1.3)
	id sma023481; Tue Dec 10 21:08:50 1996
Received: from localhost (taob@localhost) by nap.io.org (8.7.5/8.7.3) with SMTP id VAA10340; Tue, 10 Dec 1996 21:05:54 -0500 (EST)
X-Authentication-Warning: nap.io.org: taob owned process doing -bs
Date: Tue, 10 Dec 1996 21:05:53 -0500 (EST)
From: Brian Tao <taob@io.org>
To: Dev Chanchani <dev@trifecta.com>
cc: FREEBSD-SECURITY-L <freebsd-security@freebsd.org>
Subject: Re: URGENT: Packet sniffer found on my system
In-Reply-To: <Pine.BSF.3.91.961210162340.10896L-100000@www.trifecta.com>
Message-ID: <Pine.BSF.3.95.961210204050.9494B-100000@nap.io.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Tue, 10 Dec 1996, Dev Chanchani wrote:
> 
> Okay, 	
> ..so.. you found a sniffer from a rootkit package..
> ....<drum roll>
> ...... you're rootkit'ed.

    I found none of the trojans or other telltales signs of rootkit on
the compromised systems.  The user's home directory didn't have any of
the source files left when I checked, just the sniffit binary.  I'm
familiar with the rootkit distribution, and none of it (besides the
packet sniffer) appears to have been installed here.

> Expire all the passwords and re-install all the system binaries and 
> hopefully he will go away.

    All staff have been notified to cycle their passwords.  What to do
with the user base is an entirely different matter...
--
Brian Tao (BT300, taob@io.org, taob@ican.net)
Senior Systems and Network Administrator, Internet Canada Corp.
"Though this be madness, yet there is method in't"