From owner-freebsd-security Mon Dec 9 23:18:23 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id XAA23223 for security-outgoing; Mon, 9 Dec 1996 23:18:23 -0800 (PST) Received: from mail.crl.com (mail.crl.com [165.113.1.22]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id XAA23201 for ; Mon, 9 Dec 1996 23:18:19 -0800 (PST) Received: from ican.net by mail.crl.com with SMTP id AA25411 (5.65c/IDA-1.5 for ); Mon, 9 Dec 1996 23:18:54 -0800 Received: from gate.ican.net(really [198.133.36.2]) by ican.net via sendmail with esmtp id for ; Tue, 10 Dec 1996 02:18:16 -0500 (EST) (Smail-3.2 1996-Jul-4 #1 built 1996-Jul-10) Received: (from smap@localhost) by gate.ican.net (8.7.5/8.7.3) id BAA22048; Tue, 10 Dec 1996 01:57:53 -0500 (EST) Received: from nap.io.org(10.1.1.3) by gate.ican.net via smap (V1.3) id sma022044; Tue Dec 10 01:57:27 1996 Received: from localhost (taob@localhost) by nap.io.org (8.7.5/8.7.3) with SMTP id BAA02267; Tue, 10 Dec 1996 01:54:34 -0500 (EST) X-Authentication-Warning: nap.io.org: taob owned process doing -bs Date: Tue, 10 Dec 1996 01:54:34 -0500 (EST) From: Brian Tao To: Don Lewis Cc: Karl Denninger , freebsd-security@freebsd.org Subject: Re: URGENT: Packet sniffer found on my system In-Reply-To: <199612100639.WAA00847@salsa.gv.ssi1.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 9 Dec 1996, Don Lewis wrote: > > One very old trick is to plant something in root's crontab. Checked that already, plus all the files called by /etc/crontab and /var/cron/tabs/root. That would still mean the attacker had root access in the first place. The sniffing sessions seem to have been started manually though (the last one fired up literally as I watched the output of 'top' and 'fstat' and other utilities, coinciding with a login event by the owner of the sniffer binary). > A trojan could have been planted in any of the binaries that root executes. > As soon as root runs the program, it spawns a copy of the sniffer or open > some other hole. You should do a comparsion of all the executables vs. > those in a fresh copy of the distribution. One of these days I'm going to set up cops or tripwire to do this for me on a regular basis. Heck, maybe even mtree, since it seems like it can do that sort of stuff... > Even the kernel could have been hacked to make it easy to get root access, > though it would probably be less obvious to give bpf access to a non-root > sniffer. I don't think we're dealing with someone that sophisticated yet. They would have had to patch a running kernel, since there hasn't been any recent reboots. -- Brian Tao (BT300, taob@io.org, taob@ican.net) Senior Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't"