> There is a tool floating around called TAP which is a kernel mod that > allows you to easily watch streams on SunOs, and capture what a person > is typing. It is easy to modify so that you could actually write to > the stream thus emulating that person and hijacking their terminal > connection. > > To load the modules, the intruder does a modload to add the module to > the kernel. One way to detect the hijacking tool is to do a > > modstat > > and see if there is any unfamiliar modules loaded. An intruder could trojan > modstat so it might be worthwhile to check the integrity of modstat. If the 'cracker' has enough access to modload the code of his or her choosing into your machine, you have no security. That is to say, anyone who can modload the code is *already* root, and could with enough care and patience, just read the data out of the kernel streams buffers using, oh, adb, or even 'crash'. Since 'crash' comes SGID kmem (on SunOS) or SGID sys (Solaris), you may already have this problem. Jim P.S. To my detractors on the NFS over TCP on Solaris issue, suggest you read the man page for nfsd, and then look at the arguements passed by default when your machine started its nfsd. Just because udp is the default doesn't mean that TCP doesn't work.