Date: Tue, 10 Dec 1996 01:54:34 -0500 (EST) From: Brian Tao <taob@io.org> To: Don Lewis <Don.Lewis@tsc.tdk.com> Cc: Karl Denninger <karl@mcs.net>, freebsd-security@freebsd.org Subject: Re: URGENT: Packet sniffer found on my system Message-ID: <Pine.BSF.3.95.961210014357.1328E-100000@nap.io.org> In-Reply-To: <199612100639.WAA00847@salsa.gv.ssi1.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 9 Dec 1996, Don Lewis wrote:
>
> One very old trick is to plant something in root's crontab.
Checked that already, plus all the files called by /etc/crontab
and /var/cron/tabs/root. That would still mean the attacker had root
access in the first place. The sniffing sessions seem to have been
started manually though (the last one fired up literally as I watched
the output of 'top' and 'fstat' and other utilities, coinciding with a
login event by the owner of the sniffer binary).
> A trojan could have been planted in any of the binaries that root executes.
> As soon as root runs the program, it spawns a copy of the sniffer or open
> some other hole. You should do a comparsion of all the executables vs.
> those in a fresh copy of the distribution.
One of these days I'm going to set up cops or tripwire to do this
for me on a regular basis. Heck, maybe even mtree, since it seems
like it can do that sort of stuff...
> Even the kernel could have been hacked to make it easy to get root access,
> though it would probably be less obvious to give bpf access to a non-root
> sniffer.
I don't think we're dealing with someone that sophisticated yet.
They would have had to patch a running kernel, since there hasn't been
any recent reboots.
--
Brian Tao (BT300, taob@io.org, taob@ican.net)
Senior Systems and Network Administrator, Internet Canada Corp.
"Though this be madness, yet there is method in't"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.961210014357.1328E-100000>