From owner-freebsd-security Tue Dec 10 18:33:18 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id SAA28070 for security-outgoing; Tue, 10 Dec 1996 18:33:18 -0800 (PST) Received: from relay.nuxi.com (nuxi.cs.ucdavis.edu [128.120.56.38]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id SAA28061 for ; Tue, 10 Dec 1996 18:33:17 -0800 (PST) Received: (from obrien@localhost) by relay.nuxi.com (8.7.5/8.6.12) id SAA06716; Tue, 10 Dec 1996 18:33:29 -0800 (PST) Message-ID: Date: Tue, 10 Dec 1996 18:33:29 -0800 From: obrien@NUXI.com (David E. O'Brien) To: taob@io.org (Brian Tao) Cc: freebsd-security@freebsd.org Subject: Re: URGENT: Packet sniffer found on my system References: X-Mailer: Mutt 0.53 Mime-Version: 1.0 X-PGP-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Keyid: 34F9F9D5 In-Reply-To: ; from Brian Tao on Dec 10, 1996 20:40:46 -0500 Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Brian Tao writes: > I did find the following three files on one of the shell servers, > which suggests the original compromise started there: > > -rw-r--r-- speff/user 2363 Dec 1 17:37 1996 usr/include/net/nit_buf.h > -rw-r--r-- speff/user 2628 Dec 1 17:37 1996 usr/include/net/nit_if.h > -rw-r--r-- speff/user 3016 Dec 1 17:37 1996 usr/include/sys/stropts.h Hum... these are from SunOS 4.1.3_U1: ls -l /usr/include/net -r--r--r-- 1 root 2363 Jan 20 1994 nit_buf.h -r--r--r-- 1 root 2628 Jan 20 1994 nit_if.h ls -l /usr/include/sys -r--r--r-- 1 root 3016 Jan 20 1994 stropts.h Hum.. wonder what he was doing with these files. I can't see where they would be any use on a FreeBSD box. -- -- David (obrien@cs.ucdavis.edu)