Bugtraq mailing list archives
Re: detecting sniffers is downright easy
From: ericm () lne com (Eric Murray)
Date: Fri, 12 May 1995 09:31:52 -0700 (PDT)
On Wed, 10 May 1995, Christopher Klaus wrote:All current (2) programs can be detected by comparing the OS programs with their original distribution versions using MD5 or a similar cryptographic checksum technique. This has been widely published for over 5 years.Any sniffer can be slightly modified to change its md5 checksum, so you can't tell if it is a sniffer or just another a.out program in someone's directory.If you know that the only programs running are virgin copies of system programs, then you know you have no sniffer running.
not many systems are run from nothing but installed programs.
I guess 'lsof' is the tool to find out which executables are currently being executed. Test them with md5 to make sure that you know what they are.
you would have to run lsof from a read-only media to make sure it's not compromised. then you'd still have to worry that the attacker haden't modified the kernel in some way as to make lsof not see the sniffer. that's just for one unix machine. you would have to do all of your machines, constantly running lsof and scanning for sniffers. scanning once an hour would not be good enough, the sniffer could quit during the scan and start up afterwards. you'd wind up spending an awful lot of cpu time on this. and you still wouldn't guarantee that you don't have sniffers clipped into your net elsewhere (i.e. not on an offical host). if you actually try this, or even think it out, you'll discover that it's less work to encrypt everything on your network than it is to be 100% sure that no one on your net is sniffing packts. -- eric murray ericm () lne com ericm () motorcycle com http://www.lne.com/ericm
Current thread:
- Re: detecting sniffers is downright easy Patrick Horgan (May 09)
- Re: detecting sniffers is downright easy Dr. Frederick B. Cohen (May 10)
- <Possible follow-ups>
- Re: detecting sniffers is downright easy Caspar Arquint (May 10)
- Re: detecting sniffers is downright easy Eric Murray (May 12)
- Re: detecting sniffers is downright easy Julian Assange (May 14)