Date: Mon, 9 Dec 1996 22:39:10 -0800 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: Karl Denninger <karl@Mcs.Net>, taob@io.org (Brian Tao) Cc: freebsd-security@freebsd.org Subject: Re: URGENT: Packet sniffer found on my system Message-ID: <199612100639.WAA00847@salsa.gv.ssi1.com> In-Reply-To: Karl Denninger <karl@Mcs.Net> "Re: URGENT: Packet sniffer found on my system" (Dec 10, 12:02am)
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 10, 12:02am, Karl Denninger wrote: } Subject: Re: URGENT: Packet sniffer found on my system } > } > Any ideas how root access was available so easily? } > -- } > Brian Tao (BT300, taob@io.org, taob@ican.net) One very old trick is to plant something in root's crontab. } When did you upgrade to sendmail 8.8.3, and are you SURE that someone } hadn't planted a "root shell" somewhere first? That particular } exploit was so trivial to use that it would the first place I'd } be suspicious of. A trojan could have been planted in any of the binaries that root executes. As soon as root runs the program, it spawns a copy of the sniffer or open some other hole. You should do a comparsion of all the executables vs. those in a fresh copy of the distribution. Even the kernel could have been hacked to make it easy to get root access, though it would probably be less obvious to give bpf access to a non-root sniffer. --- Truck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199612100639.WAA00847>