CA-94:01.README	
Issue date: February 3, 1994
Date of last revision: September 21, 1995

This file is a supplement to CERT Advisory CA-94:01, "Ongoing Network
Monitoring Attacks," and will be updated as additional information
becomes available.

Note: After we publish checksums in advisories and READMEs, files are
sometimes updated at individual locations because of system upgrades or patch
installation. For current MD5 checksum values, we recommend that you check
with your vendor.

////////////////////
Added Feb. 2, 1995

In addition to the information provided in CERT advisory CA-94:01
"Ongoing Network Monitoring Attacks," we encourage you to look
for these other signs of packet sniffer activity. These have been
reported to us since the advisory was issued:

      * Check for modifications to /etc/rc* files and /etc/shutdown.
	Some intruders have modified /etc/rc files to ensure that
	the sniffer restarts after a shutdown or reboot. Others
	have modified the shutdown sequence to remove all traces of
	compromise.
    
      * Look for additional Trojan binaries, in particular:
	netstat, ifconfig, su, ls, find, du, df, libc, sync, and any
	binaries referred in /etc/inetd.conf.

      * Look for unexpected ASCII files in the /dev directory.
	Some of the Trojan binaries rely on configuration files,
	which are often found in /dev. 

Other Information:

      * Some sites have reported intruders gaining root access then
        reinstalling a kernel with /dev/nit functionality.  

      * We have seen sniffers for other platforms, i.e., Solaris.

      * Sites have reported intruders using sniffers to capture
        authentication to routers. Using that data, they compromise
        the routers and modify the configuration file.

////////////////////
Added September 21, 1995

We urge you to use the cpm tool on every machine at your site (where
applicable). Some sites run this as a cron job at regular intervals, such as
every 15 minutes, to report any result that indicates a possible compromise.

The cpm tool can be obtained from

	ftp://info.cert.org/pub/tools/cpm/
/////////////////////
