Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: iplogger-1.1+ident
From: sideshow () SATURN TERAHERTZ NET (Matt Watson)
Date: Fri, 23 Oct 1998 13:00:15 -0500


Just to correct myself, it does indeed log connections to ports that are
open.  I discovered this after i had posted this.  The reason i thought it
wasn't is because i was playin around a bit with the source, and i guess i
changed something that made it  not log them.  The other problem that
somebody else has brought to my attention about this version of iplogger
is that it does an ident for every connection made, so if one port scans
it with a spoofed address the logger is going to try and make XXXXX amount
of connections to the spoofed host.  and the host recieving all these
ident connections is going to think that the host running the iplogger is
trying to dos them or something.

-/- Matt Watson
    TeraHertz Communications Administrator
    For quality web space and shells checkout www.terahertz.net

On Wed, 21 Oct 1998, Matt Watson wrote:

Hello, today i was wondering around sunsite and noticed a newer version of
iplogger there:
ftp://sunsite.unc.edu/pub/Linux/system/network/daemons/iplogger-ident-1.1.tar.gz
Anyways i decided to take a look at the new code at the first thing that
popped right out was:
        while (1) {
                read(s, (struct ippkt *) &pkt, 9999);
                if (pkt.tcp.syn == 1 && pkt.tcp.ack == 0) {
                        if (!fork()) { /* double fork()    */
                                if (!fork()) {  /* to avoid zombies */
                                        openlog("tcplogd", 0, LOG_DAEMON);


^^ lines 34-39
now then, that double fork... thats well uhm evil.  That has remote
fork-bomb written all over it.  just load up your favorite port scanner
and scan away and watch your machine fork like crazy!  Anyways just
another comment on the new iplogger, it seems it only logs connections to
ports which are not open? I dunno about everybody else but personally i'd
rather know who is connecting to ports I do have open rather than who is
trying to connect to ports i don't have open.  Anyways thats my 2 cents.

-/- Matt Watson
    TeraHertz Communications Administrator
    For quality web space and shells checkout www.terahertz.net




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]