:> BTW, I wrote this section because a hacker actually installed the bpf
:> device via the module loader during one of the root compromises at BEST,
:> a year or two ago. He had gotten it from a hackers cookbook of exploits
:> which he convieniently left on-disk long enough for our daily backups to
:> catch it :-).
:
:This doesn't actually help the attacker much, since at that point in
:time the network drivers wouldn't have been calling the bpf tap points,
:so it might well have been loaded, but it wouldn't have been _doing_
:anything useful.
Whatever it was, it was recording packets. This was a year or so ago,
I don't have the code handy.
-Matt
Matthew Dillon
<dil...@backplane.com>
To Unsubscribe: send mail to majord...@freebsd.org
with "unsubscribe freebsd-hackers" in the body of the message
