Date: Tue, 10 Dec 1996 01:54:34 -0500 (EST) From: Brian Tao <taob@io.org> To: Don Lewis <Don.Lewis@tsc.tdk.com> Cc: Karl Denninger <karl@mcs.net>, freebsd-security@freebsd.org Subject: Re: URGENT: Packet sniffer found on my system Message-ID: <Pine.BSF.3.95.961210014357.1328E-100000@nap.io.org> In-Reply-To: <199612100639.WAA00847@salsa.gv.ssi1.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 9 Dec 1996, Don Lewis wrote: > > One very old trick is to plant something in root's crontab. Checked that already, plus all the files called by /etc/crontab and /var/cron/tabs/root. That would still mean the attacker had root access in the first place. The sniffing sessions seem to have been started manually though (the last one fired up literally as I watched the output of 'top' and 'fstat' and other utilities, coinciding with a login event by the owner of the sniffer binary). > A trojan could have been planted in any of the binaries that root executes. > As soon as root runs the program, it spawns a copy of the sniffer or open > some other hole. You should do a comparsion of all the executables vs. > those in a fresh copy of the distribution. One of these days I'm going to set up cops or tripwire to do this for me on a regular basis. Heck, maybe even mtree, since it seems like it can do that sort of stuff... > Even the kernel could have been hacked to make it easy to get root access, > though it would probably be less obvious to give bpf access to a non-root > sniffer. I don't think we're dealing with someone that sophisticated yet. They would have had to patch a running kernel, since there hasn't been any recent reboots. -- Brian Tao (BT300, taob@io.org, taob@ican.net) Senior Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.961210014357.1328E-100000>