[706] in bugtraq
Hijacking tool
daemon@ATHENA.MIT.EDU (Christopher Klaus)
Mon Jan 23 19:17:20 1995
From: Christopher Klaus <cklaus@iss.net>
To: bugtraq@fc.net, firewalls@GreatCircle.COM
Date: Mon, 23 Jan 1995 15:20:06 +1494730 (PST)
Cc: cert@cert.org
There is a tool floating around called TAP which is a kernel mod that
allows you to easily watch streams on SunOs, and capture what a person
is typing. It is easy to modify so that you could actually write to
the stream thus emulating that person and hijacking their terminal
connection.
To load the modules, the intruder does a modload to add the module to
the kernel. One way to detect the hijacking tool is to do a
modstat
and see if there is any unfamiliar modules loaded. An intruder could trojan
modstat so it might be worthwhile to check the integrity of modstat.
Cheers,
Christopher
--
Christopher William Klaus Voice: (404)441-2531. Fax: (404)441-2431
Internet Security Systems, Inc. Computer Security Consulting
2000 Miller Court West, Norcross, GA 30071
