Ray Bero
Original problem description...
> Hello,
> I was running snoop today trying to track down some network
> goofiness. I was reading through some of the output files with
> 'snoop -V -x 0...' and sprinkled through out are some entries of the
> form...
>
> ________________________________
> 806 0.03368 ? -> * ETHER Type=9000 (Loopback),
> size = 118 bytes
>
> 0: 0000 0c47 285f 0000 0c47 285f 9000 0000 ...G(_...G(_....
> 16: 0100 0604 0001 0000 0c47 285f 805f 2409 .........G(_._$.
> 32: 0000 0c02 5ac5 cf57 0685 0000 0000 0000 ....Z..W........
> 48: 0000 0000 0000 0000 0000 0000 0004 0000 ................
> 64: 0000 0000 UUUU UUUU PPPP PPPP PPPP PPPP ....UUUUPPPPPPPP
> 80: 797a 442a 2f32 7847 5f5a 7b5a 6c31 7820 yzD*/2xG_Z{Zl1x
> 96: 7231 3962 7b56 232d 3a29 0000 0000 0000 r19b{V#-:)......
> 112: 0000 0000 0000 ......
> ________________________________
>
> Only the UUUU is replaced with my username and the PPPPPPPP with my
> password in clear text! We've recently dealt with a hacker, so I'm a bit
> concerned about this. I even rebooted a machine, telneted to it as root,
> and snoop still shows MY user name and password about twice every 10 second
> snoop interval. To the Loopback interface?
>
> I'm sure there is a logical explanation? Don't I sound sure? :)
>
> I'm running Solaris 2.4 and 2.5.1. This seems to be the case and all the
> machines I checked for this on.
>
> Any insight would be greatly appreciated. Thanks.
>
> Ray Bero
> bero@lternet.edu
>
>
>