Date: Fri, 30 Jul 1999 13:45:28 -0700 (PDT) From: Matthew Dillon <dillon@apollo.backplane.com> To: Mike Smith <mike@smith.net.au> Cc: "Brian F. Feldman" <green@FreeBSD.ORG>, "Jordan K. Hubbard" <jkh@zippy.cdrom.com>, hackers@FreeBSD.ORG Subject: Re: So, back on the topic of enabling bpf in GENERIC... Message-ID: <199907302045.NAA94214@apollo.backplane.com> References: <199907302037.NAA01060@dingo.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
:> BTW, I wrote this section because a hacker actually installed the bpf
:> device via the module loader during one of the root compromises at BEST,
:> a year or two ago. He had gotten it from a hackers cookbook of exploits
:> which he convieniently left on-disk long enough for our daily backups to
:> catch it :-).
:
:This doesn't actually help the attacker much, since at that point in
:time the network drivers wouldn't have been calling the bpf tap points,
:so it might well have been loaded, but it wouldn't have been _doing_
:anything useful.
Whatever it was, it was recording packets. This was a year or so ago,
I don't have the code handy.
-Matt
Matthew Dillon
<dillon@backplane.com>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907302045.NAA94214>