Date: Wed, 11 Dec 1996 00:55:37 -0500 (EST) From: Brian Mitchell <brian@saturn.net> To: Brian Tao <taob@io.org> Cc: FREEBSD-SECURITY-L <freebsd-security@freebsd.org> Subject: Re: URGENT: Packet sniffer found on my system Message-ID: <Pine.LNX.3.91.961211005245.8703A-100000@janus.saturn.net> In-Reply-To: <Pine.BSF.3.95.961210201448.9494A-100000@nap.io.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 10 Dec 1996, Brian Tao wrote: > On Tue, 10 Dec 1996, Brian Mitchell wrote: > > > > I'm not sure it is wise to announce to the world that you are not running > > a tripwire-style program. > > Now I didn't say *that*. I just said I would like to have > something like tripwire to automate this for me, instead of diffing > md5 output via a script I cobbled together. ;-) > > MD5 checksums of all files checked out (binaries, libs, lkms, > scripts, etc.), including /sbin/md5 itself. There were no regular > files in /dev other than MAKEDEV and MAKEDEV.local (a favourite hiding > place for rootkit config files). No unexpected setuid executables > have been found on any of the affected servers. > > I did find the following three files on one of the shell servers, > which suggests the original compromise started there: > > -rw-r--r-- speff/user 2363 Dec 1 17:37 1996 usr/include/net/nit_buf.h > -rw-r--r-- speff/user 2628 Dec 1 17:37 1996 usr/include/net/nit_if.h > -rw-r--r-- speff/user 3016 Dec 1 17:37 1996 usr/include/sys/stropts.h > I dont have it in front of me, but those look like files from the pcap distribution. This is kinda strange to see installed, since freebsd has (had?) libpcap as a standard part of the setup, doesnt it? In any case, sniffit uses libpcap, and it would make sense speff is the original account that did the penetration (but not the perpetrator, mind you). > The date on the files is worrisome: they are over a week old. > The packet sniffer binaries and logs were no more than 24 hours old > when I discovered them though, so I'm crossing my fingers and hoping > he hasn't been watching packets longer than that. Thank god all our > root sessions are done through end-to-end encrypted connections... If he has root, he can replace ssh binaries (or whatever you are using) with programs to log the traffic. Encryption is pointless when binaries can be replaced on either end. ####################################################################### Brian Mitchell brian@saturn.net #######################################################################
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.91.961211005245.8703A-100000>