[8277] in bugtraq
Re: iplogger-1.1+ident
daemon@ATHENA.MIT.EDU (Matt Watson)
Fri Oct 23 22:56:28 1998
Date: Fri, 23 Oct 1998 13:00:15 -0500
Reply-To: Matt Watson <sideshow@SATURN.TERAHERTZ.NET>
From: Matt Watson <sideshow@SATURN.TERAHERTZ.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.981021222027.1787D-100000@saturn.terahertz.net>
Just to correct myself, it does indeed log connections to ports that are
open. I discovered this after i had posted this. The reason i thought it
wasn't is because i was playin around a bit with the source, and i guess i
changed something that made it not log them. The other problem that
somebody else has brought to my attention about this version of iplogger
is that it does an ident for every connection made, so if one port scans
it with a spoofed address the logger is going to try and make XXXXX amount
of connections to the spoofed host. and the host recieving all these
ident connections is going to think that the host running the iplogger is
trying to dos them or something.
-/- Matt Watson
TeraHertz Communications Administrator
For quality web space and shells checkout www.terahertz.net
On Wed, 21 Oct 1998, Matt Watson wrote:
> Hello, today i was wondering around sunsite and noticed a newer version of
> iplogger there:
> ftp://sunsite.unc.edu/pub/Linux/system/network/daemons/iplogger-ident-1.1.tar.gz
> Anyways i decided to take a look at the new code at the first thing that
> popped right out was:
> while (1) {
> read(s, (struct ippkt *) &pkt, 9999);
> if (pkt.tcp.syn == 1 && pkt.tcp.ack == 0) {
> if (!fork()) { /* double fork() */
> if (!fork()) { /* to avoid zombies */
> openlog("tcplogd", 0, LOG_DAEMON);
>
>
> ^^ lines 34-39
> now then, that double fork... thats well uhm evil. That has remote
> fork-bomb written all over it. just load up your favorite port scanner
> and scan away and watch your machine fork like crazy! Anyways just
> another comment on the new iplogger, it seems it only logs connections to
> ports which are not open? I dunno about everybody else but personally i'd
> rather know who is connecting to ports I do have open rather than who is
> trying to connect to ports i don't have open. Anyways thats my 2 cents.
>
> -/- Matt Watson
> TeraHertz Communications Administrator
> For quality web space and shells checkout www.terahertz.net
>