[Cs22800] BSDsebek Update

Benjamin Johnson bsjohnso at midway.uchicago.edu
Wed Nov 13 22:53:23 CST 2002 

Below is output in /var/log/messages for BSDsebek.  As you can see, it 
clearly indicates that the hacker (myself) typed:

kldunload module

which is in fact what I did to unload BSDsebek.  I am unsure of how to 
get the tty_id so currently I just use TEST1234.  sshd was running as 
130 and I was root (uid 0) in the terminal where I was capturing 
keystrokes.  So it looks like everything is working pretty well.  Also, 
I can write to and read from /dev/sebek so tomorrow I will combine the 
logging with sending the data to the driver rather than printing out as 
a kernel message.  If I have additional time, I will work on gettting 
the log reader to work.  Then I would simply have to get the sniffing / 
parsing to work, which actually isn't a huge deal because if it seems 
hard to port right now, a quick fix would be to have a linux machine on 
the net and to run sebeksniff on there.  I sitll have to add the 
adorebsd rootkit-like features to it but that's just code cutting and 
pasting.

Finally, I will have to setup a configuration / installation system and 
then we can test it! If all goes well, that will all be done by next 
monday, and if not then probably just a few days later than that.

Let me know if you guys have any questions, suggestions, etc.  BTW, in a 
previous message I stated that I always got incorrect return 
values...that was partially true as I did not get what the user was got, 
but I guess I got what a system call should return in the kernel.  I 
figured out part of the proc structure that had the return value (ie the 
# of bytes read) that I was looking for.  Its amazing how after I sat 
down for a while reading all the header files from /usr/include/sys, 
stuff made much more sense.

See ya,

Ben
--------------------------------------------------------------------------------------
Nov 13 20:42:48 bsd /kernel: 
|BEGIN1|->1037241768:130:0:sshd:7:TEST1234:c:2:k
Nov 13 20:42:48 bsd /kernel: 
|BEGIN1|->1037241768:130:0:sshd:7:TEST1234:c:2:l
Nov 13 20:42:48 bsd /kernel: 
|BEGIN1|->1037241768:130:0:sshd:7:TEST1234:c:2:d
Nov 13 20:42:49 bsd /kernel: 
|BEGIN1|->1037241769:130:0:sshd:7:TEST1234:c:2:u
Nov 13 20:42:49 bsd /kernel: 
|BEGIN1|->1037241769:130:0:sshd:7:TEST1234:c:2:n
Nov 13 20:42:49 bsd /kernel: 
|BEGIN1|->1037241769:130:0:sshd:7:TEST1234:c:2:l
Nov 13 20:42:49 bsd /kernel: 
|BEGIN1|->1037241769:130:0:sshd:7:TEST1234:c:2:o
Nov 13 20:42:49 bsd /kernel: 
|BEGIN1|->1037241769:130:0:sshd:7:TEST1234:c:2:a
Nov 13 20:42:49 bsd /kernel: 
|BEGIN1|->1037241769:130:0:sshd:7:TEST1234:c:2:d
Nov 13 20:42:49 bsd /kernel: 
|BEGIN1|->1037241769:130:0:sshd:7:TEST1234:c:2:
Nov 13 20:42:50 bsd /kernel: 
|BEGIN1|->1037241770:130:0:sshd:7:TEST1234:c:2:m
Nov 13 20:42:50 bsd /kernel: 
|BEGIN1|->1037241770:130:0:sshd:7:TEST1234:c:2:o
Nov 13 20:42:50 bsd /kernel: 
|BEGIN1|->1037241770:130:0:sshd:7:TEST1234:c:2:d
Nov 13 20:42:50 bsd /kernel: 
|BEGIN1|->1037241770:130:0:sshd:7:TEST1234:c:2:u
Nov 13 20:42:50 bsd /kernel: 
|BEGIN1|->1037241770:130:0:sshd:7:TEST1234:c:2:l
Nov 13 20:42:50 bsd /kernel: 
|BEGIN1|->1037241770:130:0:sshd:7:TEST1234:c:2:e
Nov 13 20:42:50 bsd /kernel: |BEGIN|->1037241770:130:0:sshd:7:TEST1234:b:3:
--------------------------------------------------------------------------------------------------------

-- 
Benjamin Johnson <bsjohnso at midway.uchicago.edu>
"I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones." -- Albert Einstein

More information about the CS22800 mailing list