From owner-freebsd-security  Tue Dec 10 13:27:50 1996
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id NAA02399
          for security-outgoing; Tue, 10 Dec 1996 13:27:50 -0800 (PST)
Received: from www.trifecta.com (www.trifecta.com [206.245.150.3])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id NAA02393
          for <freebsd-security@freebsd.org>; Tue, 10 Dec 1996 13:27:48 -0800 (PST)
Received: (from dev@localhost) by www.trifecta.com (8.7.5/8.6.12) id QAA11238; Tue, 10 Dec 1996 16:27:27 -0500 (EST)
Date: Tue, 10 Dec 1996 16:27:27 -0500 (EST)
From: Dev Chanchani <dev@trifecta.com>
To: Brian Tao <taob@io.org>
cc: FREEBSD-SECURITY-L <freebsd-security@freebsd.org>
Subject: Re: URGENT: Packet sniffer found on my system
In-Reply-To: <Pine.BSF.3.95.961210000201.1328A-100000@nap.io.org>
Message-ID: <Pine.BSF.3.91.961210162340.10896L-100000@www.trifecta.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Tue, 10 Dec 1996, Brian Tao wrote:

>     I happened across an interesting little process today on a few of
> ous servers.  It appears to be the "sniffit" packet sniffer found in
> the Linux RootKit.  I can mail the binary to anyone who wants to
> analyse it.

Okay, 	
..so.. you found a sniffer from a rootkit package..
....<drum roll>
...... you're rootkit'ed.

Do you have a trusted backup? If not, save the config files and 
re-install the OS. I know it sounds ugly, but if they have patched your 
binaries (or you are not sure), re-install binaries you know are not patched.

Patched binaries can be particulary ugly. Usually the user will patch a 
program that will allow them back into your system. This includes:
httpd
inetd
login
ftpd 
telnetd 
tcpd 

You get the picture... The user will have a secret password which will 
give them total access to any account (include ROOT) 

Next, by patching other binaries, kernel libs, etc. They can hide
their files, disk usage, net connections, processes, basically they can 
be invisible.

Try and found which account they used to comprimise the system, try to 
find what tools/scripts/evidence he left about which programs he exploited.

Expire all the passwords and re-install all the system binaries and 
hopefully he will go away.

Fact of the matter is, he may find himself patched all over the network.
Best to try and scare him away from your network.

If you have any questions, drop me a line.

	--Dev