From owner-freebsd-security  Mon Dec  9 23:12:01 1996
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id XAA22363
          for security-outgoing; Mon, 9 Dec 1996 23:12:01 -0800 (PST)
Received: from mail.crl.com (mail.crl.com [165.113.1.22])
          by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id XAA22339
          for <freebsd-security@freebsd.org>; Mon, 9 Dec 1996 23:11:59 -0800 (PST)
Received: from ican.net by mail.crl.com with SMTP id AA24394
  (5.65c/IDA-1.5 for <freebsd-security@freebsd.org>); Mon, 9 Dec 1996 23:12:34 -0800
Received: from gate.ican.net(really [198.133.36.2]) by ican.net
	via sendmail with esmtp
	id <m0vXMIw-000AFCC@ican.net>
	for <freebsd-security@freebsd.org>; Tue, 10 Dec 1996 02:08:38 -0500 (EST)
	(Smail-3.2 1996-Jul-4 #1 built 1996-Jul-10)
Received: (from smap@localhost) by gate.ican.net (8.7.5/8.7.3) id CAA22275; Tue, 10 Dec 1996 02:05:23 -0500 (EST)
Received: from nap.io.org(10.1.1.3) by gate.ican.net via smap (V1.3)
	id sma022273; Tue Dec 10 02:05:09 1996
Received: from localhost (taob@localhost) by nap.io.org (8.7.5/8.7.3) with SMTP id CAA02455; Tue, 10 Dec 1996 02:02:15 -0500 (EST)
X-Authentication-Warning: nap.io.org: taob owned process doing -bs
Date: Tue, 10 Dec 1996 02:02:15 -0500 (EST)
From: Brian Tao <taob@io.org>
To: John-Mark Gurney <gurney_j@resnet.uoregon.edu>
Cc: FREEBSD-SECURITY-L <freebsd-security@freebsd.org>
Subject: Re: URGENT: Packet sniffer found on my system
In-Reply-To: <Pine.NEB.3.95.961209221551.275E-100000@nike>
Message-Id: <Pine.BSF.3.95.961210015814.1328G-100000@nap.io.org>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 9 Dec 1996, John-Mark Gurney wrote:
> 
> why not just have their passwords expire?  then they have to change them
> :)  hope it all works out...  ttyl..

    The attacker can just as easily change the password to the
account.  This is an ISP, where there are thousands of user accounts.
Some people don't login for days or weeks at a time, and won't see any
announcements in their mailbox or in a newsgroup or on a login motd.
I could just lock out all the accounts listed in the sniffer logs, but
I'm not sure if our tech support staff would appreciate all the calls
that would generate.  That may be the most effective approach though.
--
Brian Tao (BT300, taob@io.org, taob@ican.net)
Senior Systems and Network Administrator, Internet Canada Corp.
"Though this be madness, yet there is method in't"