Date: Tue, 10 Dec 1996 16:27:27 -0500 (EST) From: Dev Chanchani <dev@trifecta.com> To: Brian Tao <taob@io.org> Cc: FREEBSD-SECURITY-L <freebsd-security@freebsd.org> Subject: Re: URGENT: Packet sniffer found on my system Message-ID: <Pine.BSF.3.91.961210162340.10896L-100000@www.trifecta.com> In-Reply-To: <Pine.BSF.3.95.961210000201.1328A-100000@nap.io.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 10 Dec 1996, Brian Tao wrote: > I happened across an interesting little process today on a few of > ous servers. It appears to be the "sniffit" packet sniffer found in > the Linux RootKit. I can mail the binary to anyone who wants to > analyse it. Okay, ..so.. you found a sniffer from a rootkit package.. ....<drum roll> ...... you're rootkit'ed. Do you have a trusted backup? If not, save the config files and re-install the OS. I know it sounds ugly, but if they have patched your binaries (or you are not sure), re-install binaries you know are not patched. Patched binaries can be particulary ugly. Usually the user will patch a program that will allow them back into your system. This includes: httpd inetd login ftpd telnetd tcpd You get the picture... The user will have a secret password which will give them total access to any account (include ROOT) Next, by patching other binaries, kernel libs, etc. They can hide their files, disk usage, net connections, processes, basically they can be invisible. Try and found which account they used to comprimise the system, try to find what tools/scripts/evidence he left about which programs he exploited. Expire all the passwords and re-install all the system binaries and hopefully he will go away. Fact of the matter is, he may find himself patched all over the network. Best to try and scare him away from your network. If you have any questions, drop me a line. --Dev
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.961210162340.10896L-100000>