Date: Tue, 10 Dec 1996 18:05:20 -0500 (EST) From: Brian Mitchell <brian@saturn.net> To: Brian Tao <taob@io.org> Cc: Don Lewis <Don.Lewis@tsc.tdk.com>, Karl Denninger <karl@mcs.net>, freebsd-security@freebsd.org Subject: Re: URGENT: Packet sniffer found on my system Message-ID: <Pine.LNX.3.91.961210180228.1525A-100000@janus.saturn.net> In-Reply-To: <Pine.BSF.3.95.961210014357.1328E-100000@nap.io.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 10 Dec 1996, Brian Tao wrote: > > A trojan could have been planted in any of the binaries that root executes. > > As soon as root runs the program, it spawns a copy of the sniffer or open > > some other hole. You should do a comparsion of all the executables vs. > > those in a fresh copy of the distribution. > > One of these days I'm going to set up cops or tripwire to do this > for me on a regular basis. Heck, maybe even mtree, since it seems > like it can do that sort of stuff... > I'm not sure it is wise to announce to the world that you are not running a tripwire-style program. > > Even the kernel could have been hacked to make it easy to get root access, > > though it would probably be less obvious to give bpf access to a non-root > > sniffer. > > I don't think we're dealing with someone that sophisticated yet. > They would have had to patch a running kernel, since there hasn't been > any recent reboots. That's what lkm is for, but you are probably right about the sophistication level. If you can not trust your kernel, you are in heaps of trouble, and can not be sure of anything (including md5s). ####################################################################### Brian Mitchell brian@saturn.net #######################################################################
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.91.961210180228.1525A-100000>