From owner-freebsd-hackers  Fri Jul 30 13:45:42 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2])
	by hub.freebsd.org (Postfix) with ESMTP
	id DEC1B15745; Fri, 30 Jul 1999 13:45:36 -0700 (PDT)
	(envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.9.3/8.9.1) id NAA94214;
	Fri, 30 Jul 1999 13:45:28 -0700 (PDT)
	(envelope-from dillon)
Date: Fri, 30 Jul 1999 13:45:28 -0700 (PDT)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <199907302045.NAA94214@apollo.backplane.com>
To: Mike Smith <mike@smith.net.au>
Cc: "Brian F. Feldman" <green@FreeBSD.ORG>,
	"Jordan K. Hubbard" <jkh@zippy.cdrom.com>, hackers@FreeBSD.ORG
Subject: Re: So, back on the topic of enabling bpf in GENERIC... 
References:  <199907302037.NAA01060@dingo.cdrom.com>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

:>     BTW, I wrote this section because a hacker actually installed the bpf 
:>     device via the module loader during one of the root compromises at BEST,
:>     a year or two ago.  He had gotten it from a hackers cookbook of exploits
:>     which he convieniently left on-disk long enough for our daily backups to
:>     catch it :-).
:
:This doesn't actually help the attacker much, since at that point in 
:time the network drivers wouldn't have been calling the bpf tap points, 
:so it might well have been loaded, but it wouldn't have been _doing_ 
:anything useful.

    Whatever it was, it was recording packets.  This was a year or so ago,
    I don't have the code handy.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message