The latest in our *-Watcher series, "TTY-Watcher", is now freely available for anonymous FTP: ftp://coast.cs.purdue.edu/pub/tools/unix/ttywatcher For those who were interested in IP-Watcher, it has been released as a commercial product. For more information, take a look at: http://nad.infostructure.com/watcher.htm If you're not interested in the IP-Watcher product, but are interested in the inherent vulnerability in TCP/IP it exploits to perform it's active countermeasures, take a look at the web pages as well. (They've been significantly redone since the first announcement, and hopefully are more helpful) :-) Thanks! mcn@EnGarde.com En Garde Systems Computer Security Software and Consulting ====== >From the README: What is TTY-Watcher? -------------------- TTY-Watcher is a utility to monitor and control users on a single system. It is based on our IP-Watcher utility, which can be used to monitor and control users on an entire network. It is similar to advise or tap, but with many more advanced features and a user friendly (either X-Windows or text) interface. TTY-Watcher allows the user to monitor every tty on the system, as well as interact with them by: 1) Sharing a TTY. Anything the user types into a monitored TTY window will be sent to the underlying process (and consequently echoed back to the real owner of the TTY). In this way, you are "sharing" a login session with another user. 2) Termination. At the click of a button (or an escape sequence with the text interface), the current connection can be instantly terminated. 3) Stealing. Another click of the button allows the user to "steal" the monitored TTY. The TTY will continue to function as normal for the TTY-Watcher user, but the real owner of the TTY will see no output, and his keystrokes will be ignored. 4) Returning the TTY. After a TTY has been stolen, it can be returned to the user, as though nothing happened. 5) Sending the user a message. A message can be sent to the real owner of the TTY without interfering with the commands he's typing. The message will only be displayed on his screen and will not be sent to the underlying process. Aside from monitoring and controlling TTYs, individual connections can be logged to either a raw logfile for later playback (somewhat like a VCR) or to a text file. Each of these abilities (except for #4) are also available in our commercial IP-Watcher program, except instead of monitoring and controlling TTYs, entire TCP/IP connections can be monitored and controlled. In this way, you can monitor an entire network rather than a single machine. What systems is it available for? --------------------------------- Currently TTY-Watcher works under SunOS 4.x and Solaris 2.x systems. Ports to other systems may be possible (we just don't have access to any others). The requirements for a system are: loadable (or at least user-configurable) device drivers, and STREAMS ttys. It has been tested in the following configurations: sun4m (SS5) running 4.1.3_U1B sun4m (LX) running 2.4 All the hooks are there for other hardware types (sun4c, sun4, etc.), but we don't have access to them. If you have success with these machines, let us know. If not, send us the patches! :-)