From owner-freebsd-security Wed Dec 11 14:37:11 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id OAA14780 for security-outgoing; Wed, 11 Dec 1996 14:37:11 -0800 (PST) Received: from ican.net (ican.net [198.133.36.9]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id OAA14775 for ; Wed, 11 Dec 1996 14:37:09 -0800 (PST) Received: from gate.ican.net(really [198.133.36.2]) by ican.net via sendmail with esmtp id for ; Wed, 11 Dec 1996 17:37:04 -0500 (EST) (Smail-3.2 1996-Jul-4 #1 built 1996-Jul-10) Received: (from smap@localhost) by gate.ican.net (8.7.5/8.7.3) id RAA28162; Wed, 11 Dec 1996 17:33:41 -0500 (EST) Received: from nap.io.org(10.1.1.3) by gate.ican.net via smap (V1.3) id sma028142; Wed Dec 11 17:33:21 1996 Received: from localhost (taob@localhost) by nap.io.org (8.7.5/8.7.3) with SMTP id RAA18537; Wed, 11 Dec 1996 17:30:20 -0500 (EST) X-Authentication-Warning: nap.io.org: taob owned process doing -bs Date: Wed, 11 Dec 1996 17:30:20 -0500 (EST) From: Brian Tao To: Nate Williams cc: FREEBSD-SECURITY-L Subject: Re: Risk of having bpf0? (was URGENT: Packet sniffer found on my system) In-Reply-To: <199612111835.LAA13289@rocky.mt.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 11 Dec 1996, Nate Williams wrote: > > I would *certainly* disable BPF on a public server. You can always use > another box to look at packets that isn't publically available. The servers here are all on switched ports, so I can't monitor all packets on the LAN. I suppose that was one saving grace which prevented the attacker from doing more damage than he did. I think the best thing to do is disable bpf, and set up a management station on the router segment to watch the packets. -- Brian Tao (BT300, taob@io.org, taob@ican.net) Senior Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't"