[1796] in bugtraq
Re: detecting sniffers is downright easy
daemon@ATHENA.MIT.EDU (Charles Howes)
Thu May 11 20:33:33 1995
Date: Thu, 11 May 1995 16:17:18 -0700 (PDT)
From: Charles Howes <chowes@helix.net>
To: bugtraq@fc.net
In-Reply-To: <199505101748.NAA21183@shadow.net>
On Wed, 10 May 1995, Christopher Klaus wrote:
> > All current (2) programs can be detected by comparing the OS programs
> > with their original distribution versions using MD5 or a similar
> > cryptographic checksum technique. This has been widely published for
> > over 5 years.
>
> Any sniffer can be slightly modified to change its md5 checksum, so you
> can't tell if it is a sniffer or just another a.out program in someone's
> directory.
If you know that the only programs running are virgin copies of system
programs, then you know you have no sniffer running.
I guess 'lsof' is the tool to find out which executables are currently
being executed. Test them with md5 to make sure that you know what
they are.
--
Charles Howes -- chowes@helix.net
Always tell the truth, then you make it the other bloke's problem!
- Sean Connery, 1971
