Date: Tue, 10 Dec 1996 20:40:46 -0500 (EST) From: Brian Tao <taob@io.org> To: Brian Mitchell <brian@saturn.net> Cc: FREEBSD-SECURITY-L <freebsd-security@freebsd.org> Subject: Re: URGENT: Packet sniffer found on my system Message-ID: <Pine.BSF.3.95.961210201448.9494A-100000@nap.io.org> In-Reply-To: <Pine.LNX.3.91.961210180228.1525A-100000@janus.saturn.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 10 Dec 1996, Brian Mitchell wrote:
>
> I'm not sure it is wise to announce to the world that you are not running
> a tripwire-style program.
Now I didn't say *that*. I just said I would like to have
something like tripwire to automate this for me, instead of diffing
md5 output via a script I cobbled together. ;-)
MD5 checksums of all files checked out (binaries, libs, lkms,
scripts, etc.), including /sbin/md5 itself. There were no regular
files in /dev other than MAKEDEV and MAKEDEV.local (a favourite hiding
place for rootkit config files). No unexpected setuid executables
have been found on any of the affected servers.
I did find the following three files on one of the shell servers,
which suggests the original compromise started there:
-rw-r--r-- speff/user 2363 Dec 1 17:37 1996 usr/include/net/nit_buf.h
-rw-r--r-- speff/user 2628 Dec 1 17:37 1996 usr/include/net/nit_if.h
-rw-r--r-- speff/user 3016 Dec 1 17:37 1996 usr/include/sys/stropts.h
The date on the files is worrisome: they are over a week old.
The packet sniffer binaries and logs were no more than 24 hours old
when I discovered them though, so I'm crossing my fingers and hoping
he hasn't been watching packets longer than that. Thank god all our
root sessions are done through end-to-end encrypted connections...
--
Brian Tao (BT300, taob@io.org, taob@ican.net)
Senior Systems and Network Administrator, Internet Canada Corp.
"Though this be madness, yet there is method in't"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.961210201448.9494A-100000>