From owner-freebsd-hackers Fri Jul 30 13:44:45 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from dingo.cdrom.com (dingo.cdrom.com [204.216.28.145]) by hub.freebsd.org (Postfix) with ESMTP id 42F0414E6F; Fri, 30 Jul 1999 13:44:41 -0700 (PDT) (envelope-from mike@dingo.cdrom.com) Received: from dingo.cdrom.com (localhost.cdrom.com [127.0.0.1]) by dingo.cdrom.com (8.9.3/8.8.8) with ESMTP id NAA01060; Fri, 30 Jul 1999 13:37:36 -0700 (PDT) (envelope-from mike@dingo.cdrom.com) Message-Id: <199907302037.NAA01060@dingo.cdrom.com> X-Mailer: exmh version 2.0.2 2/24/98 To: Matthew Dillon Cc: "Brian F. Feldman" , "Jordan K. Hubbard" , hackers@FreeBSD.ORG Subject: Re: So, back on the topic of enabling bpf in GENERIC... In-reply-to: Your message of "Fri, 30 Jul 1999 13:37:17 PDT." <199907302037.NAA94153@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 30 Jul 1999 13:37:36 -0700 From: Mike Smith Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > : But even if you turn off the bpf device, you still have /dev/mem and > : /dev/kmem to worry about. For that matter, the intruder can still write > : raw devices. Also, there is another kernel feature called kldload(8). > > BTW, I wrote this section because a hacker actually installed the bpf > device via the module loader during one of the root compromises at BEST, > a year or two ago. He had gotten it from a hackers cookbook of exploits > which he convieniently left on-disk long enough for our daily backups to > catch it :-). This doesn't actually help the attacker much, since at that point in time the network drivers wouldn't have been calling the bpf tap points, so it might well have been loaded, but it wouldn't have been _doing_ anything useful. -- \\ The mind's the standard \\ Mike Smith \\ of the man. \\ msmith@freebsd.org \\ -- Joseph Merrick \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message