From owner-freebsd-security  Tue Dec 10 07:20:37 1996
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id HAA07736
          for security-outgoing; Tue, 10 Dec 1996 07:20:37 -0800 (PST)
Received: from virginia.edu (mars.itc.Virginia.EDU [128.143.2.9])
          by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id HAA07730
          for <freebsd-security@freebsd.org>; Tue, 10 Dec 1996 07:20:33 -0800 (PST)
Received: from archive.cs.virginia.edu by mail.virginia.edu id aa02938;
          10 Dec 96 10:20 EST
Received: from stretch.cs.Virginia.edu (atf3r@stretch-fo.cs.Virginia.EDU [128.143.136.14]) by archive.cs.Virginia.EDU (8.7.5/8.7.3) with SMTP id KAA20014; Tue, 10 Dec 1996 10:19:58 -0500 (EST)
Received: by stretch.cs.Virginia.edu (4.1/SMI-2.0)
	id AA03901; Tue, 10 Dec 96 10:19:57 EST
Date: Tue, 10 Dec 1996 10:19:54 -0500 (EST)
From: "Adrian T. Filipi-Martin" <atf3r@cs.virginia.edu>
Reply-To: adrian@virginia.edu
To: Don Lewis <Don.Lewis@tsc.tdk.com>
Cc: freebsd-security@freebsd.org
Subject: Re: URGENT: Packet sniffer found on my system
In-Reply-To: <199612100639.WAA00847@salsa.gv.ssi1.com>
Message-Id: <Pine.SUN.3.90.961210101538.3334G-100000@stretch.cs.Virginia.edu>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 9 Dec 1996, Don Lewis wrote:

> 
> A trojan could have been planted in any of the binaries that root executes.
> As soon as root runs the program, it spawns a copy of the sniffer or open
> some other hole.  You should do a comparsion of all the executables vs.
> those in a fresh copy of the distribution.
> 
> Even the kernel could have been hacked to make it easy to get root access,
> though it would probably be less obvious to give bpf access to a non-root
> sniffer.

	This reminds me, has anyone considered getting a precomputed list
of MD5 signatures for all precompiled system binaries onto the
distribution CDs?  While it would not necessarily help those who recompile
world, it would still be a handy time saver.  I suppose even the scripts
to make and compare the MD5 checksums would be handy as part of the
system. 

	Adrian

adrian@virginia.edu                ---->>>>| Support your local programmer,
System Administrator                 --->>>| STOP Software Patent Abuses NOW!
NVL, NIIMS and Telemedicine Labs       -->>| For an application and information
Member: League for Programming Freedom   ->| see: http://www.lpf.org/