From owner-freebsd-security  Tue Dec 10 14:06:28 1996
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id OAA05877
          for security-outgoing; Tue, 10 Dec 1996 14:06:28 -0800 (PST)
Received: from janus.saturn.net (brian@janus.saturn.net [206.42.0.10])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id OAA05863
          for <freebsd-security@freebsd.org>; Tue, 10 Dec 1996 14:06:24 -0800 (PST)
Received: (from brian@localhost) by janus.saturn.net (8.7.6/8.6.9) id SAA01724; Tue, 10 Dec 1996 18:05:20 -0500
Date: Tue, 10 Dec 1996 18:05:20 -0500 (EST)
From: Brian Mitchell <brian@saturn.net>
To: Brian Tao <taob@io.org>
cc: Don Lewis <Don.Lewis@tsc.tdk.com>, Karl Denninger <karl@mcs.net>,
        freebsd-security@freebsd.org
Subject: Re: URGENT: Packet sniffer found on my system
In-Reply-To: <Pine.BSF.3.95.961210014357.1328E-100000@nap.io.org>
Message-ID: <Pine.LNX.3.91.961210180228.1525A-100000@janus.saturn.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Tue, 10 Dec 1996, Brian Tao wrote:

> > A trojan could have been planted in any of the binaries that root executes.
> > As soon as root runs the program, it spawns a copy of the sniffer or open
> > some other hole.  You should do a comparsion of all the executables vs.
> > those in a fresh copy of the distribution.
> 
>     One of these days I'm going to set up cops or tripwire to do this
> for me on a regular basis.  Heck, maybe even mtree, since it seems
> like it can do that sort of stuff...
> 

I'm not sure it is wise to announce to the world that you are not running 
a tripwire-style program.

> > Even the kernel could have been hacked to make it easy to get root access,
> > though it would probably be less obvious to give bpf access to a non-root
> > sniffer.
> 
>     I don't think we're dealing with someone that sophisticated yet.
> They would have had to patch a running kernel, since there hasn't been
> any recent reboots.

That's what lkm is for, but you are probably right about the 
sophistication level.

If you can not trust your kernel, you are in heaps of trouble, and can 
not be sure of anything (including md5s).



#######################################################################
Brian Mitchell                                      brian@saturn.net
#######################################################################