From owner-freebsd-security  Mon Dec  9 22:39:16 1996
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id WAA20109
          for security-outgoing; Mon, 9 Dec 1996 22:39:16 -0800 (PST)
Received: from sunrise.gv.ssi1.com (root@sunrise.gv.ssi1.com [146.252.44.191])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id WAA20104
          for <freebsd-security@freebsd.org>; Mon, 9 Dec 1996 22:39:14 -0800 (PST)
Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194])
          by sunrise.gv.ssi1.com (8.8.4/8.8.4) with ESMTP
	  id WAA05983; Mon, 9 Dec 1996 22:39:11 -0800 (PST)
Received: (from gdonl@localhost)
          by salsa.gv.ssi1.com (8.8.4/8.8.4)
	  id WAA00847; Mon, 9 Dec 1996 22:39:10 -0800 (PST)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199612100639.WAA00847@salsa.gv.ssi1.com>
Date: Mon, 9 Dec 1996 22:39:10 -0800
In-Reply-To: Karl Denninger  <karl@Mcs.Net>
       "Re: URGENT: Packet sniffer found on my system" (Dec 10, 12:02am)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: Karl Denninger  <karl@Mcs.Net>, taob@io.org (Brian Tao)
Subject: Re: URGENT: Packet sniffer found on my system
Cc: freebsd-security@freebsd.org
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Dec 10, 12:02am, Karl Denninger wrote:
} Subject: Re: URGENT: Packet sniffer found on my system
} > 
} >     Any ideas how root access was available so easily?
} > --
} > Brian Tao (BT300, taob@io.org, taob@ican.net)

One very old trick is to plant something in root's crontab.

} When did you upgrade to sendmail 8.8.3, and are you SURE that someone 
} 	hadn't planted a "root shell" somewhere first?  That particular
} 	exploit was so trivial to use that it would the first place I'd
} 	be suspicious of.

A trojan could have been planted in any of the binaries that root executes.
As soon as root runs the program, it spawns a copy of the sniffer or open
some other hole.  You should do a comparsion of all the executables vs.
those in a fresh copy of the distribution.

Even the kernel could have been hacked to make it easy to get root access,
though it would probably be less obvious to give bpf access to a non-root
sniffer.

			---  Truck