Bugtraq mailing list archives
Re: snooper watchers
From: bent () snm com (Ben Taylor)
Date: Wed, 22 Feb 1995 17:20:14 -0500 (EST)
On Wed, 22 Feb 1995, Eric Conrad wrote:
I'm doing some work for a client who has had some suggestions that they run a program to watch the state of ifconfig, and send mail if the interface ever goes promiscuous. This works just fine under SunOS 4.x, however, their concern is that this does not appear to work for Solaris 2.x.The first thing many crackers do is replace ifconfig with a trojan that won't report when an interface is in promiscuous mode.
Right. Which is one of the reasons I'm asking. We are currently using cpm, but as you pointed out, that could be spoofed.
You could look at 'cpm', which will also show when an interface is promiscuous. It's available from ftp.cert.org. You're still in the same boat if someone replaces it with their own, however.
Well, I assume the next version of cpm should actually do some sort of code like ifconfig, which means you'd have to spoof that code. If you don't know what to look for, you may not know what you have to spoof. If they reach that point, they're probably recorded.
...Eric
Ben Taylor --- Chief Information Officer --- Smoke N' Mirrors, Inc. -=-=-=-=-=-=-=- Services for Systems Integration -=-=-=-=-=-=-=-=- bent () snm com "Where the impossible jobs get done!" (703) 318-1440 580 Herndon Pkwy, Suite 300, Herndon VA, 22070
Current thread:
- Re: mail.local.c patch, (continued)
- Re: mail.local.c patch Neil Woods (Feb 18)
- Re: mail.local.c patch Christopher Samuel (Feb 20)
- HP-UX Problem... Mr Martin J Hargreaves (Feb 19)
- Re: HP-UX Problem... Aaron Sherman (Feb 20)
- Re: HP-UX Problem... Andrew Hughes (Feb 20)
- Bugtraq mailing list William B. Chmura (Feb 21)
- fcntl() file locking under Solaris 2.4 Jas (Feb 21)
- Re: fcntl() file locking under Solaris 2.4 Jas (Feb 22)
- snooper watchers Ben Taylor (Feb 22)
- Re: snooper watchers Eric Conrad (Feb 22)
- Re: snooper watchers Ben Taylor (Feb 22)
- CERT Advisory CA-95:05.sendmail.vulnerabilities (fwd) Paul 'Shag' Walmsley (Feb 22)
- Re: CERT Advisory CA-95:05.sendmail.vulnerabilities (fwd) Dave Schweisguth (Feb 23)
- Sendmail 8.6.9 security hole Igor V. Semenyuk (Feb 22)
- Re: Sendmail 8.6.9 security hole Christopher Samuel (Feb 23)
- Re: HP-UX Problem... Aaron Sherman (Feb 20)
- Sun Security Bulletin #129 (sendmail) Mark Graff (Feb 22)
- new sendmail bug? James W. Abendschan (Feb 22)
- Re: new sendmail bug? joel (Feb 22)
- Re: new sendmail bug? Dave Horsfall (Feb 22)
- Sendmail 8.6.10: what's different? der Mouse (Feb 23)
- X keyboard sniffing Paul Howell (Feb 23)
- Re: mail.local.c patch Neil Woods (Feb 18)