This article is from the Security Patches FAQ, by Christopher Klaus cklaus@iss.net with numerous contributions by others.
Hijacking terminal connections
Intruders are using a kernel module called TAP that initially was used for
capturing streams which allows you to view what a person is typing. You can
use it to write to someone's steam, thus emulating that person typing a
command and allowing an intruder to "hijack" their session.
Tap is available on ftp.sterling.com /usenet/alt.sources/volume92/Mar in the
following files:
* 920321.02.Z TAP - a STREAMS module/driver monitor (1.1)
* 920322.01.Z TAP - a STREAMS module/driver monitor (1.5) repost
* 920323.17.Z TAP - BIG BROTHERS STREAMS TAP DRIVER (1.24)
An intruder needs to install TAP as root. Therefore if you have installed
all patches and taken the necessary precautions to eliminate ways to obtain
root, the intruder has less chance of installing TAP. You can disable
loadable modules on SunOs 4.1.x by editing the kernel configuraion file
found in /sys/`arch -k`/conf directory and comment out the following line
with a "#" character:
options VDDRV # loadable modules
Then build and install the new kernel:
# /etc/config CONFIG_NAME
# cd ../CONFIG_NAME
# make
# cp /vmunix /vmunix.orig
# cp vmunix /
# sync; sync; sync
Reboot the system to activate the new kernel. You can also try to detect the
Tap program by doing the following command:
modstat
Modstat displays all loaded modules. An intruder could trojan modstat as
well therefore you may want to verify the checksum of modstat.
 
Continue to: