From owner-freebsd-security  Tue Dec 10 19:00:15 1996
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id TAA01485
          for security-outgoing; Tue, 10 Dec 1996 19:00:15 -0800 (PST)
Received: from ican.net (ican.net [198.133.36.9])
          by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id TAA01474
          for <freebsd-security@freebsd.org>; Tue, 10 Dec 1996 19:00:08 -0800 (PST)
Received: from gate.ican.net(really [198.133.36.2]) by ican.net
	via sendmail with esmtp
	id <m0vXetz-000BOHC@ican.net>
	for <freebsd-security@freebsd.org>; Tue, 10 Dec 1996 22:00:07 -0500 (EST)
	(Smail-3.2 1996-Jul-4 #1 built 1996-Jul-10)
Received: (from smap@localhost) by gate.ican.net (8.7.5/8.7.3) id VAA24628; Tue, 10 Dec 1996 21:56:47 -0500 (EST)
Received: from nap.io.org(10.1.1.3) by gate.ican.net via smap (V1.3)
	id sma024626; Tue Dec 10 21:56:45 1996
Received: from localhost (taob@localhost) by nap.io.org (8.7.5/8.7.3) with SMTP id VAA10660; Tue, 10 Dec 1996 21:53:48 -0500 (EST)
X-Authentication-Warning: nap.io.org: taob owned process doing -bs
Date: Tue, 10 Dec 1996 21:53:48 -0500 (EST)
From: Brian Tao <taob@io.org>
To: Don Lewis <Don.Lewis@tsc.tdk.com>
cc: FREEBSD-SECURITY-L <freebsd-security@freebsd.org>
Subject: Re: URGENT: Packet sniffer found on my system
In-Reply-To: <199612100745.XAA00966@salsa.gv.ssi1.com>
Message-ID: <Pine.BSF.3.95.961210215226.9494O-100000@nap.io.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 9 Dec 1996, Don Lewis wrote:
> 
> Hmn, I think wu-ftpd runs as root in anonymous mode so that it can
> chroot().  I seem to recall there was a buffer overflow bug in it's
> private realpath() implementation.

    I'm going to install the latest wuftpd beta as Mark H. and Cy S.
have suggested.  Sendmail has also been upgraded to 8.8.4, just to be
safe (although there isn't much safe with sendmail around... ;-)).

> }     I don't think we're dealing with someone that sophisticated yet.
> } They would have had to patch a running kernel, since there hasn't been
> } any recent reboots.
> 
> I just mentioned this for completeness.  It's something that you should
> really check if root has been compromised.

    The kernels seem to check out, as does everything in /lkm.
--
Brian Tao (BT300, taob@io.org, taob@ican.net)
Senior Systems and Network Administrator, Internet Canada Corp.
"Though this be madness, yet there is method in't"