Bugtraq: Re: snooper watchers

[bent () snm com (Ben Taylor)]

On Wed, 22 Feb 1995, Eric Conrad wrote:

> > I'm doing some work for a client who has had some suggestions that they
> > run a program to watch the state of ifconfig, and send mail if the
> > interface ever goes promiscuous.  This works just fine under SunOS 4.x,
> > however, their concern is that this does not appear to work for Solaris 2.x.
> The first thing many crackers do is replace ifconfig with a trojan that 
> won't report when an interface is in promiscuous mode.
Right.  Which is one of the reasons I'm asking.  We are currently using
cpm, but as you pointed out, that could be spoofed.

> You could look at 'cpm', which will also show when an interface is 
> promiscuous.  It's available from ftp.cert.org.  You're still in the same 
> boat if someone replaces it with their own, however.
Well, I assume the next version of cpm should actually do some
sort of code like ifconfig, which means you'd have to spoof that code.
If you don't know what to look for, you may not know what you have to
spoof.  If they reach that point, they're probably recorded.

>                               ...Eric
Ben Taylor --- Chief Information Officer --- Smoke N' Mirrors, Inc.
-=-=-=-=-=-=-=-  Services for Systems Integration -=-=-=-=-=-=-=-=-
bent () snm com  "Where the impossible jobs get done!"  (703) 318-1440
           580 Herndon Pkwy, Suite 300, Herndon VA, 22070