Bugtraq mailing list archives

Re: finger-bombing

From: mch () sqwest bc ca (Mark C. Henderson)
Date: Fri, 14 Oct 1994 20:25:41 -0700

daemon that would get the name of the guy that fingered the attacked host?

yea it is called identd, I have modified my rlogin, telnet, ftpd & popper
servers to do identd queries on all connections.


Or you can just use the standard rlogind, telnetd &c. together with 
tcp_wrappers (I remember you need to build with the appropriate 
option in the makefile to force ident queries). 

There are important limitations.

ident aware daemons will only give you useful information if the host 
the person is fingering from is running identd and the host hasn't 
been compromised (once you have root, it is easy to replace identd 
with something that returns whatever username amuses you - a two line
perl script can replace identd very nicely and return what you want). 

I still think ident is useful for logging (in practice it really _is_ 
useful), but you can't depend on it working and you can't depend on 
the information it returns. 

Mark

-- 
Mark Henderson, SoftQuad Inc., 108-10070 King George Hwy, Surrey, B.C. V3T 2W4
Internet: mch () sqwest bc ca, markh () wimsey bc ca          Voice: +1 604 585 8394
Fax: +1 604 585 1926    RIPEM MD5OfPublicKey: F1F5F0C3984CBEAF3889ADAFA2437433
ViaCryptPGP Key fingerprint = C4 EC 2F 6C 1B ED F6 06  1D E9 08 E4 E5 F9 FA 16

Current thread:

Re: finger-bombing Nayfield, Rod (Oct 13)
- Re: finger-bombing Breakdown (Oct 14)
  - Re: finger-bombing Pete Shipley (Oct 14)
- <Possible follow-ups>
- Re: finger-bombing Bill Heiser (Oct 14)
- Re: finger-bombing Brad Powell (Oct 14)
- Re: finger-bombing Richard A Childers (Oct 14)
- Re: finger-bombing Mark C. Henderson (Oct 14)
- Re: finger-bombing Mark C. Henderson (Oct 14)
- Re: finger-bombing Rik Farrow 602 282 0242 MST (Oct 15)
- Re[2]: finger-bombing Nayfield, Rod (Oct 17)