Home page logo

bugtraq logo Bugtraq mailing list archives

Re: W-Land: READ THIS NOW -- telnet sci.dixie.edu 1 (fwd)
From: weave () hopi dtcc edu (Ken Weaverling)
Date: Sat, 9 Sep 1995 06:04:18 -0400

On Fri, 8 Sep 1995, Mandar M. Mirashi wrote:

---------- Forwarded message ----------
Date: Thu, 7 Sep 1995 16:50:56 -0400
From: Ken Weaverling <weave () hopi dtcc edu>

telnet sci.dixie.edu 1 | sh

The script builds an executable IRC client, real nice for the novice to
set up IRC on their own.

While that alone bothers me enough, part of the script emails the author
some *interesting* information about your system, including the
NIS domain name.

Although the original poster is right about the dommainname being returned,
he neglected to mention _where_, _how_ and _why_ this command was being
used. This command is used in conjunction of several other checks to
return the closest IRC server to the site. If you check the script

Fine -- but -- we are talking about the NIS domainname, which is not
always (nor should be) equiv to the DNS domainname.  The NIS domainname
has nothing to do with the nearest server. Revealing the NIS domainname
can be a security problem, hence my post.

Anyway, posts such as these prompted me to put up a disclaimer in the
script to use it at your own risk. This is a _free_ service that I
provide to the Internet community, and hundreds of people have benefitted
from it over the years. There are a lot more vicious(and obfuscated)
things a person can do if disguising backdoors in C code. The crux is,
you have to trust _somebody_ _somewhere_ when downloading software
from ftp sites, or installing irc using this service. Of course, the
best solution is not to trust anyone and pore through the code yourself.

Thank you for explaining. I do have some suggestions.

First, you should do a `which irc` or something to see if it is already
installed. We already have it on the system. I had at least two students
so far chew up megabytes of disk space installing this without looking
first (first semester, must have come here from a more oppresive University
next door and just assumed we don't have it :-)

Second, it's too easy. This may be a religious issue, but a user that has
to know enough to ftp an archive, unzip it, set it up, etc, should also
know enough of what is going on to know its source code and the dangers.
It is too automated and prime for abuse. Port 1 doesn't matter, you could
set up numerous machines without special privileges to run port 1.

Third, I appreciate your explanation but for the reasons about the
"dangerous" bit you explain, I agree. I don't like users installing
stuff. I try and be open as much as possible and install whatever they
want, including MUD clients, or whatever.  I can't stop them, but this
makes it too easy. A weak argument perhaps. I certainly don't want
a draconian policy of no binaries in user accounts either. Ouch...

Finally, zap the domainname command out of the script. It's not reliable
for what you want to do anyway.

I do wish that Ken had at least cc'ed me a copy of this post when
sending it to a list that I do not subscribe to :-( Please cc me at
mmmirash () mailhost ecn uoknor edu if there are followups.

Yes, I apologise. The beginning of semesters are a bit hellish, with
new students "testing the waters" for the first week or so seeing how
much they can get away with.  I saw the NIS domainname (which I still
object to) and freaked a bit.

It's tough being me, no one understands my sorrows! :-)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]