From owner-freebsd-security Mon Jul 28 14:18:25 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA03641 for security-outgoing; Mon, 28 Jul 1997 14:18:25 -0700 (PDT) Received: from mail001.mediacity.com (mail001.mediacity.com [205.216.172.7]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id OAA03636 for ; Mon, 28 Jul 1997 14:18:22 -0700 (PDT) Received: (qmail 29609 invoked from network); 28 Jul 1997 21:18:15 -0000 Received: from geekgirl.mediacity.com (HELO geekgirl) (208.138.36.24) by mail001.mediacity.com with SMTP; 28 Jul 1997 21:18:15 -0000 Date: Mon, 28 Jul 1997 02:22:24 -0800 From: "Nicole H." Subject: Re: security hole in FreeBSD To: Robert Watson , Vincent Poy Cc: "[Mario1-]" , JbHunt , security@FreeBSD.ORG, Tomasz Dudziak X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297), NetManage Inc. X-Face: Dy;P!H@)Go.{^Epw&,}@q4ReQ3iOqFrASM63QjFsK/'XnOO67}+{szQ|oo]]`]/.r,g5lx; w+F^YYL4j Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Does anyone know of a good way to detect people "sniffing" on the network? IE a program that will detect a machine running in promiscuous mode? Thanks Nicole > On Mon, 28 Jul 1997, Robert Watson wrote: > > =)> =)I'd be tempted to look in all the normal places -- sendmail, etc. What > =)> =)daemons were running on the machine? Any web server processes? Also, I'd > =)> =)heavily suspect that he sniffed a password if no encrypted telnet/ssh is > =)> =)in use.. Any use of NIS going on? Also, .rhosts arrangements can be > =)> =)extremely unhappy if we already know (s)he is messing with DNS entries. > =)> > =)> sendmail is running as well as apache httpd... ftpd, telnetd, and > =)> ircd. No NIS. ALl I know was he managed to changed everyone's .rhosts > =)> file when it doesn't exist originally and the contents just had: > =)> + + > =)> in it. > =) > =)This guy sounds like either he has good tools, or good experience. For > =)safety's sake, I'd guess the latter. All he needed was one sniffed > =)password to get on the system, and then you may be stuck with known holes > =)in application software. Most of the security problems I've seen have > =)started with a sniffed password, but this comes from dormitory experience > =):). > > Yep, sniffing would work but can they actually sniff outside of > the network? > > =)Your best hope at this point is to shut down the system, boot on a floppy > =)with a CDROM mounted, and then do a strategic MD5 checksum of all binaries > =)and check for changes. If you're running STABLE, your best bet may be to > =)sup down differences, but to reinstall the binaries necessary to support > =)the cvsup stuff from CDROM, as well as system kernel and /bin, /sbin, etc. > =)If he's made enough changes to zap syslog, netstat, login-stuff, I > =)wouldn't trust any other tools on the system currently. > > Not even a rebuild of -current after cvs? > > > Cheers, > Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ > Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] > GaiaNet Corporation - M & C Estate / / / / | / | __] ] > Beverly Hills, California USA 90210 / / / / / |/ / | __] ] > HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____] > > > ---------------End of Original Message----------------- nicole@mediacity.com |\ __ /| (`\ http://www.mediacity.com Nicole Harrington | o_o |__ ) ) Phone: 415-237-1464 // \\ Pager: 415-301-2482 Systems Administrator ------------------------(((---(((------------------------------------- ******* * ***** What do you mean Spelling Errors? * * * My Modem is Error Correcting! * CAUTION: I'm no doctor, I only tell computers what to do. Nothing in this document should be construed as medical advice. My opinions are subject to the availability of information. I learn new things each day, and so may change my opinions. Courtesy is owed. Respect is earned. Love is given. -- -----------------------------------------------------------------------