[1038] in bugtraq
Re: snooper watchers
daemon@ATHENA.MIT.EDU (Eric Conrad)
Wed Feb 22 18:46:58 1995
Date: Wed, 22 Feb 1995 16:48:33 -0500 (EST)
From: Eric Conrad <econrad@bu.edu>
To: Ben Taylor <bent@snm.com>
Cc: bugtraq@fc.net
In-Reply-To: <Pine.SOL.3.91.950222122832.9504B-100000@snm.com>
> I'm doing some work for a client who has had some suggestions that they
> run a program to watch the state of ifconfig, and send mail if the
> interface ever goes promiscuous. This works just fine under SunOS 4.x,
> however, their concern is that this does not appear to work for Solaris 2.x.
The first thing many crackers do is replace ifconfig with a trojan that
won't report when an interface is in promiscuous mode.
You could look at 'cpm', which will also show when an interface is
promiscuous. It's available from ftp.cert.org. You're still in the same
boat if someone replaces it with their own, however.
...Eric
