Date: Mon, 28 Jul 1997 02:22:24 -0800 From: "Nicole H." <nicole@mediacity.com> To: Robert Watson <robert+freebsd@cyrus.watson.org>, Vincent Poy <vince@mail.MCESTATE.COM> Cc: "[Mario1-]" <mario1@primenet.com>, JbHunt <johnnyu@accessus.net>, security@FreeBSD.ORG, Tomasz Dudziak <loco@onyks.wszib.poznan.pl> Subject: Re: security hole in FreeBSD Message-ID: <Chameleon.870081818.nmh@geekgirl> References: <Pine.BSF.3.95.970728123635.3844m-100000@mail.MCESTATE.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
Does anyone know of a good way to detect people "sniffing" on the network? IE a program that will detect a machine running in promiscuous mode? Thanks Nicole > On Mon, 28 Jul 1997, Robert Watson wrote: > > =)> =)I'd be tempted to look in all the normal places -- sendmail, etc. What > =)> =)daemons were running on the machine? Any web server processes? Also, I'd > =)> =)heavily suspect that he sniffed a password if no encrypted telnet/ssh is > =)> =)in use.. Any use of NIS going on? Also, .rhosts arrangements can be > =)> =)extremely unhappy if we already know (s)he is messing with DNS entries. > =)> > =)> sendmail is running as well as apache httpd... ftpd, telnetd, and > =)> ircd. No NIS. ALl I know was he managed to changed everyone's .rhosts > =)> file when it doesn't exist originally and the contents just had: > =)> + + > =)> in it. > =) > =)This guy sounds like either he has good tools, or good experience. For > =)safety's sake, I'd guess the latter. All he needed was one sniffed > =)password to get on the system, and then you may be stuck with known holes > =)in application software. Most of the security problems I've seen have > =)started with a sniffed password, but this comes from dormitory experience > =):). > > Yep, sniffing would work but can they actually sniff outside of > the network? > > =)Your best hope at this point is to shut down the system, boot on a floppy > =)with a CDROM mounted, and then do a strategic MD5 checksum of all binaries > =)and check for changes. If you're running STABLE, your best bet may be to > =)sup down differences, but to reinstall the binaries necessary to support > =)the cvsup stuff from CDROM, as well as system kernel and /bin, /sbin, etc. > =)If he's made enough changes to zap syslog, netstat, login-stuff, I > =)wouldn't trust any other tools on the system currently. > > Not even a rebuild of -current after cvs? > > > Cheers, > Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ > Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] > GaiaNet Corporation - M & C Estate / / / / | / | __] ] > Beverly Hills, California USA 90210 / / / / / |/ / | __] ] > HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] > > > ---------------End of Original Message----------------- nicole@mediacity.com |\ __ /| (`\ http://www.mediacity.com Nicole Harrington | o_o |__ ) ) Phone: 415-237-1464 // \\ Pager: 415-301-2482 Systems Administrator ------------------------(((---(((------------------------------------- ******* * ***** What do you mean Spelling Errors? * * * My Modem is Error Correcting! * CAUTION: I'm no doctor, I only tell computers what to do. Nothing in this document should be construed as medical advice. My opinions are subject to the availability of information. I learn new things each day, and so may change my opinions. Courtesy is owed. Respect is earned. Love is given. -- -----------------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Chameleon.870081818.nmh>