SUMMARY: password sniffer

From: Peifong Ren (pren@cs.umass.edu)
Date: Wed Mar 29 1995 - 05:26:45 CST


Original Post:

>Is there any way to tell if a machine is running a password sniffer
>program?

Thanks for those who answered! This is a great mailing list.

Most people suggest to use the program cmp from cert. And this is what
we are using now.

The following is a more complete answer from bzs@world.std.com:

=======
For starters see if the interface is in promiscuous mode with ifconfig
because unless they're just monitoring the machine it's running on
they generally do this.

Watch out for replaced copies of ifconfig that purposely mask the fact
that your net interface is in promiscuous mode, crackers have
those. They also have versions of 'ps' that will exclude their sniffer
programs from the output.

If you believe you have problems like this a good thing to do is to
squirrel away known, good copies of at least the following programs on
tape or some other removeable media (floppy, whatever) and use them
when investigating a machine (make a directory, unload these versions,
put that directory first in your path, remember to compare them with
the ones on the system eventually so you don't leave bad ones around
and know what the damage is):

        ifconfig
        ps
        du
        ls
        netstat
        login
        su
        route

For good measure I'd include:

        cmp
        sum

that is, any tools you might use to determine if binaries have been
changed. There are stronger tools (md5) but that doesn't mean they
haven't been hacked up to smile and say "yes, all is fine!" when run
on certain files. In general, don't trust file dates (well, don't
trust file dates that indicate all is well, they can be modified.)
========

Thanks again!!
-Pei



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:20 CDT