[8247] in bugtraq

home help back first fref pref prev next nref lref last post

iplogger-1.1+ident

daemon@ATHENA.MIT.EDU (Matt Watson)
Fri Oct 23 13:38:49 1998

Date: 	Wed, 21 Oct 1998 22:27:58 -0500
Reply-To: Matt Watson <sideshow@SATURN.TERAHERTZ.NET>
From: Matt Watson <sideshow@SATURN.TERAHERTZ.NET>
To: BUGTRAQ@NETSPACE.ORG

Hello, today i was wondering around sunsite and noticed a newer version of
iplogger there:
ftp://sunsite.unc.edu/pub/Linux/system/network/daemons/iplogger-ident-1.1.tar.gz
Anyways i decided to take a look at the new code at the first thing that
popped right out was:
        while (1) {
                read(s, (struct ippkt *) &pkt, 9999);
                if (pkt.tcp.syn == 1 && pkt.tcp.ack == 0) {
                        if (!fork()) { /* double fork()    */
                                if (!fork()) {  /* to avoid zombies */
                                        openlog("tcplogd", 0, LOG_DAEMON);


^^ lines 34-39
now then, that double fork... thats well uhm evil.  That has remote
fork-bomb written all over it.  just load up your favorite port scanner
and scan away and watch your machine fork like crazy!  Anyways just
another comment on the new iplogger, it seems it only logs connections to
ports which are not open? I dunno about everybody else but personally i'd
rather know who is connecting to ports I do have open rather than who is
trying to connect to ports i don't have open.  Anyways thats my 2 cents.

-/- Matt Watson
    TeraHertz Communications Administrator
    For quality web space and shells checkout www.terahertz.net

home help back first fref pref prev next nref lref last post