mailing list archives
Re: detecting sniffers is downright easy
From: cklaus () shadow net (Christopher Klaus)
Date: Wed, 10 May 1995 13:48:24 -0400 (EDT)
All current (2) programs can be detected by comparing the OS programs
with their original distribution versions using MD5 or a similar
cryptographic checksum technique. This has been widely published for
over 5 years.
Any sniffer can be slightly modified to change its md5 checksum, so you
can't tell if it is a sniffer or just another a.out program in someone's
directory. Nor if a hacker uploads a sniffer, runs it, and removes
the executable, the only thing you will find as a file might be the log file.
And even then, if the sniffer is decent, it never saves the log to any file
but rather e-mails or somehow transfers it back to another site. Then
you won't be able to search for any files on disk.
Also, if its a Solaris machine, you can't tell if the machine is in
promiscuous mode, so you can't tell if the machine is even sniffing.
The possible chance is if ps shows a process out of the ordinary,
but it wouldn't be hard for the hacker to name the process something like
in.telnetd or named so it won't stick out, so then you might get lucky,
and see a single process eating up lots of CPU if you happen to be on a
heavy network. If the sniffer is well written and is only sniffing
certian packets, even the CPU usage will not be too noticeable.
Thus, not only is detection of all Unix-based real-world sniffers not
impossible or infeasible, it is downright easy and simple.
Uh huh. For $29.95, Ill send you the sniffer detector kit that will
allow you to catch any and all sniffers on your networks. 8-) I
also have the Alien Chip Implant Removal kit on sale this month for $19.95.
The ACIR is great for keeping martians out of your network.
I have created a FAQ on Sniffers that has many products for protection
against sniffers and advice for detecting sniffers available at
http://iss.net/iss/sniff.html or send mail to info () iss net
Christopher William Klaus Voice: (404)441-2531. Fax: (404)441-2431
Internet Security Systems, Inc. Computer Security Consulting
2000 Miller Court West, Norcross, GA 30071