Date: Tue, 10 Dec 1996 20:40:46 -0500 (EST) From: Brian Tao <taob@io.org> To: Brian Mitchell <brian@saturn.net> Cc: FREEBSD-SECURITY-L <freebsd-security@freebsd.org> Subject: Re: URGENT: Packet sniffer found on my system Message-ID: <Pine.BSF.3.95.961210201448.9494A-100000@nap.io.org> In-Reply-To: <Pine.LNX.3.91.961210180228.1525A-100000@janus.saturn.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 10 Dec 1996, Brian Mitchell wrote: > > I'm not sure it is wise to announce to the world that you are not running > a tripwire-style program. Now I didn't say *that*. I just said I would like to have something like tripwire to automate this for me, instead of diffing md5 output via a script I cobbled together. ;-) MD5 checksums of all files checked out (binaries, libs, lkms, scripts, etc.), including /sbin/md5 itself. There were no regular files in /dev other than MAKEDEV and MAKEDEV.local (a favourite hiding place for rootkit config files). No unexpected setuid executables have been found on any of the affected servers. I did find the following three files on one of the shell servers, which suggests the original compromise started there: -rw-r--r-- speff/user 2363 Dec 1 17:37 1996 usr/include/net/nit_buf.h -rw-r--r-- speff/user 2628 Dec 1 17:37 1996 usr/include/net/nit_if.h -rw-r--r-- speff/user 3016 Dec 1 17:37 1996 usr/include/sys/stropts.h The date on the files is worrisome: they are over a week old. The packet sniffer binaries and logs were no more than 24 hours old when I discovered them though, so I'm crossing my fingers and hoping he hasn't been watching packets longer than that. Thank god all our root sessions are done through end-to-end encrypted connections... -- Brian Tao (BT300, taob@io.org, taob@ican.net) Senior Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.961210201448.9494A-100000>