Date: Mon, 9 Dec 1996 23:45:56 -0800 From: Don Lewis <Don.Lewis@tsc.tdk.com> To: Brian Tao <taob@io.org>, Don Lewis <Don.Lewis@tsc.tdk.com> Cc: Karl Denninger <karl@Mcs.Net>, freebsd-security@freebsd.org Subject: Re: URGENT: Packet sniffer found on my system Message-ID: <199612100745.XAA00966@salsa.gv.ssi1.com> In-Reply-To: Brian Tao <taob@io.org> "Re: URGENT: Packet sniffer found on my system" (Dec 10, 1:54am)
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 10, 1:54am, Brian Tao wrote: } Subject: Re: URGENT: Packet sniffer found on my system } On Mon, 9 Dec 1996, Don Lewis wrote: } > } > One very old trick is to plant something in root's crontab. } } Checked that already, plus all the files called by /etc/crontab } and /var/cron/tabs/root. That would still mean the attacker had root } access in the first place. The sniffing sessions seem to have been } started manually though (the last one fired up literally as I watched } the output of 'top' and 'fstat' and other utilities, coinciding with a } login event by the owner of the sniffer binary). Hmn, I think wu-ftpd runs as root in anonymous mode so that it can chroot(). I seem to recall there was a buffer overflow bug in it's private realpath() implementation. } > A trojan could have been planted in any of the binaries that root executes. } > As soon as root runs the program, it spawns a copy of the sniffer or open } > some other hole. You should do a comparsion of all the executables vs. } > those in a fresh copy of the distribution. } } One of these days I'm going to set up cops or tripwire to do this } for me on a regular basis. Heck, maybe even mtree, since it seems } like it can do that sort of stuff... Sounds like a good idea. } > Even the kernel could have been hacked to make it easy to get root access, } > though it would probably be less obvious to give bpf access to a non-root } > sniffer. } } I don't think we're dealing with someone that sophisticated yet. } They would have had to patch a running kernel, since there hasn't been } any recent reboots. I just mentioned this for completeness. It's something that you should really check if root has been compromised. --- Truck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199612100745.XAA00966>