From owner-freebsd-security Mon Dec 9 21:46:10 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id VAA15297 for security-outgoing; Mon, 9 Dec 1996 21:46:10 -0800 (PST) Received: from ican.net (ican.net [198.133.36.9]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id VAA15292 for ; Mon, 9 Dec 1996 21:46:07 -0800 (PST) Received: from gate.ican.net(really [198.133.36.2]) by ican.net via sendmail with esmtp id for ; Tue, 10 Dec 1996 00:46:06 -0500 (EST) (Smail-3.2 1996-Jul-4 #1 built 1996-Jul-10) Received: (from smap@localhost) by gate.ican.net (8.7.5/8.7.3) id AAA20838 for ; Tue, 10 Dec 1996 00:42:51 -0500 (EST) Received: from nap.io.org(10.1.1.3) by gate.ican.net via smap (V1.3) id sma020836; Tue Dec 10 00:42:34 1996 Received: from localhost (taob@localhost) by nap.io.org (8.7.5/8.7.3) with SMTP id AAA01798 for ; Tue, 10 Dec 1996 00:39:41 -0500 (EST) X-Authentication-Warning: nap.io.org: taob owned process doing -bs Date: Tue, 10 Dec 1996 00:39:41 -0500 (EST) From: Brian Tao To: FREEBSD-SECURITY-L Subject: Re: URGENT: Packet sniffer found on my system In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 10 Dec 1996, Brian Tao wrote: > > What it does is use bpf to log every connection between a pair of > hosts and save all the good parts to a series of files. The guy > running the sniffer logged well over 17000 connections today and god > knows how many username/password combinations. He was watching the > FTP and POP3 ports, mainly. Also the telnet ports to the shell servers... any tips for cleaning up the mess? Obviously the users should be told they need to change their passwords right away (now to think of a good way to let everyone know... :-/). -- Brian Tao (BT300, taob@io.org, taob@ican.net) Senior Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't"