Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: finger-bombing
From: chowes () helix net (Charles Howes)
Date: Thu, 13 Oct 1994 20:16:00 -0700 (PDT)

On Thu, 13 Oct 1994, James Seng wrote:


On Wed, 12 Oct 1994, Christopher Klaus wrote:

Contact the admins of those hosts and tell them to have it stopped.  
Also, modify inetd.conf and comment out finger and kill -HUP inetd
to restart it.


A question which is not really relvant to this mailing-list..What if the 
admin is the one who is guilty of such attack? (attack here refers to 
more general case than just fingering) Who do i inform or do i have to 
deal it myself? :-)


Fortunately, there is always a course of action.

For any site, if you can't get satisfaction, you can go up the chain of
command until you *do* get satisfaction.

Universities, companies, and others are on the net for a reason, and
usually want to be good neighbours.  University and company presidents
are usually quite responsive if their subordinates are causing
problems.

And, if the president is causing a problem, there's a network provider
that can always be approached.

If *that* fails to satisfy you, you can either take it to usenet, or
decide you were wrong.  Sometimes both.  :-)


As to the original question, would creating a fifo called .plan be
good or bad?  It would freeze finger requests as they were made,
allowing a more casual tracing, but risks overflowing some kernel
table?

Also, if it is being done indirectly (finger user () yourhost@host1), ask
the folks at host1 if they could keep logs of finger requests, as well
as put in the ident service.  (Tcp wrappers, pidentd and syslog.)


ObBug: the C2conv program on SunOS 4.1.3 seemed to have dumped garbage
  over part of our password file when we tried it the other day.  The
  syslog for auth.info exploded as a result.  It's almost as secure as
  dumping the computer into wet cement, and takes less time.  How *do*
  you set up shadow passwords, anyway?

ObBug2: I was talk-bombed the other day.  You can modify a talk
  program to send escape sequences in the talk request, messing up the
  recipient's screen.  Since it's UDP, finding the culprit is not
  possible with tcpd.  Anyone have a solution?

--
Charles Howes -- chowes () helix net
 Always tell the truth, then you make it the other bloke's problem! 
 - Sean Connery, 1971

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]