[Cs22800] BSDsebek Update
Benjamin Johnson
bsjohnso at midway.uchicago.edu
Wed Nov 13 22:53:23 CST 2002
Below is output in /var/log/messages for BSDsebek. As you can see, it
clearly indicates that the hacker (myself) typed:
kldunload module
which is in fact what I did to unload BSDsebek. I am unsure of how to
get the tty_id so currently I just use TEST1234. sshd was running as
130 and I was root (uid 0) in the terminal where I was capturing
keystrokes. So it looks like everything is working pretty well. Also,
I can write to and read from /dev/sebek so tomorrow I will combine the
logging with sending the data to the driver rather than printing out as
a kernel message. If I have additional time, I will work on gettting
the log reader to work. Then I would simply have to get the sniffing /
parsing to work, which actually isn't a huge deal because if it seems
hard to port right now, a quick fix would be to have a linux machine on
the net and to run sebeksniff on there. I sitll have to add the
adorebsd rootkit-like features to it but that's just code cutting and
pasting.
Finally, I will have to setup a configuration / installation system and
then we can test it! If all goes well, that will all be done by next
monday, and if not then probably just a few days later than that.
Let me know if you guys have any questions, suggestions, etc. BTW, in a
previous message I stated that I always got incorrect return
values...that was partially true as I did not get what the user was got,
but I guess I got what a system call should return in the kernel. I
figured out part of the proc structure that had the return value (ie the
# of bytes read) that I was looking for. Its amazing how after I sat
down for a while reading all the header files from /usr/include/sys,
stuff made much more sense.
See ya,
Ben
--------------------------------------------------------------------------------------
Nov 13 20:42:48 bsd /kernel:
|BEGIN1|->1037241768:130:0:sshd:7:TEST1234:c:2:k
Nov 13 20:42:48 bsd /kernel:
|BEGIN1|->1037241768:130:0:sshd:7:TEST1234:c:2:l
Nov 13 20:42:48 bsd /kernel:
|BEGIN1|->1037241768:130:0:sshd:7:TEST1234:c:2:d
Nov 13 20:42:49 bsd /kernel:
|BEGIN1|->1037241769:130:0:sshd:7:TEST1234:c:2:u
Nov 13 20:42:49 bsd /kernel:
|BEGIN1|->1037241769:130:0:sshd:7:TEST1234:c:2:n
Nov 13 20:42:49 bsd /kernel:
|BEGIN1|->1037241769:130:0:sshd:7:TEST1234:c:2:l
Nov 13 20:42:49 bsd /kernel:
|BEGIN1|->1037241769:130:0:sshd:7:TEST1234:c:2:o
Nov 13 20:42:49 bsd /kernel:
|BEGIN1|->1037241769:130:0:sshd:7:TEST1234:c:2:a
Nov 13 20:42:49 bsd /kernel:
|BEGIN1|->1037241769:130:0:sshd:7:TEST1234:c:2:d
Nov 13 20:42:49 bsd /kernel:
|BEGIN1|->1037241769:130:0:sshd:7:TEST1234:c:2:
Nov 13 20:42:50 bsd /kernel:
|BEGIN1|->1037241770:130:0:sshd:7:TEST1234:c:2:m
Nov 13 20:42:50 bsd /kernel:
|BEGIN1|->1037241770:130:0:sshd:7:TEST1234:c:2:o
Nov 13 20:42:50 bsd /kernel:
|BEGIN1|->1037241770:130:0:sshd:7:TEST1234:c:2:d
Nov 13 20:42:50 bsd /kernel:
|BEGIN1|->1037241770:130:0:sshd:7:TEST1234:c:2:u
Nov 13 20:42:50 bsd /kernel:
|BEGIN1|->1037241770:130:0:sshd:7:TEST1234:c:2:l
Nov 13 20:42:50 bsd /kernel:
|BEGIN1|->1037241770:130:0:sshd:7:TEST1234:c:2:e
Nov 13 20:42:50 bsd /kernel: |BEGIN|->1037241770:130:0:sshd:7:TEST1234:b:3:
--------------------------------------------------------------------------------------------------------
--
Benjamin Johnson <bsjohnso at midway.uchicago.edu>
"I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones." -- Albert Einstein
More information about the CS22800
mailing list