From owner-freebsd-security  Mon Dec  9 23:46:02 1996
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id XAA26010
          for security-outgoing; Mon, 9 Dec 1996 23:46:02 -0800 (PST)
Received: from sunrise.gv.ssi1.com (root@sunrise.gv.ssi1.com [146.252.44.191])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id XAA26004
          for <freebsd-security@freebsd.org>; Mon, 9 Dec 1996 23:46:00 -0800 (PST)
Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194])
          by sunrise.gv.ssi1.com (8.8.4/8.8.4) with ESMTP
	  id XAA07460; Mon, 9 Dec 1996 23:45:57 -0800 (PST)
Received: (from gdonl@localhost)
          by salsa.gv.ssi1.com (8.8.4/8.8.4)
	  id XAA00966; Mon, 9 Dec 1996 23:45:56 -0800 (PST)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199612100745.XAA00966@salsa.gv.ssi1.com>
Date: Mon, 9 Dec 1996 23:45:56 -0800
In-Reply-To: Brian Tao <taob@io.org>
       "Re: URGENT: Packet sniffer found on my system" (Dec 10,  1:54am)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: Brian Tao <taob@io.org>, Don Lewis <Don.Lewis@tsc.tdk.com>
Subject: Re: URGENT: Packet sniffer found on my system
Cc: Karl Denninger <karl@Mcs.Net>, freebsd-security@freebsd.org
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Dec 10,  1:54am, Brian Tao wrote:
} Subject: Re: URGENT: Packet sniffer found on my system
} On Mon, 9 Dec 1996, Don Lewis wrote:
} > 
} > One very old trick is to plant something in root's crontab.
} 
}     Checked that already, plus all the files called by /etc/crontab
} and /var/cron/tabs/root.  That would still mean the attacker had root
} access in the first place.  The sniffing sessions seem to have been
} started manually though (the last one fired up literally as I watched
} the output of 'top' and 'fstat' and other utilities, coinciding with a
} login event by the owner of the sniffer binary).

Hmn, I think wu-ftpd runs as root in anonymous mode so that it can
chroot().  I seem to recall there was a buffer overflow bug in it's
private realpath() implementation.

} > A trojan could have been planted in any of the binaries that root executes.
} > As soon as root runs the program, it spawns a copy of the sniffer or open
} > some other hole.  You should do a comparsion of all the executables vs.
} > those in a fresh copy of the distribution.
} 
}     One of these days I'm going to set up cops or tripwire to do this
} for me on a regular basis.  Heck, maybe even mtree, since it seems
} like it can do that sort of stuff...

Sounds like a good idea.

} > Even the kernel could have been hacked to make it easy to get root access,
} > though it would probably be less obvious to give bpf access to a non-root
} > sniffer.
} 
}     I don't think we're dealing with someone that sophisticated yet.
} They would have had to patch a running kernel, since there hasn't been
} any recent reboots.

I just mentioned this for completeness.  It's something that you should
really check if root has been compromised.

			---  Truck