Re: iplogger-1.1+ident

From: Matt Watson (sideshowat_private)
Date: Fri Oct 23 1998 - 11:00:15 PDT

Next message: pedwardat_private: "Re: License Manager's lockfiles (Solaris 2.5.1)"

Previous message: pedwardat_private: "Re: Netscape "What's Related""
Maybe in reply to: Matt Watson: "iplogger-1.1+ident"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Just to correct myself, it does indeed log connections to ports that are
open.  I discovered this after i had posted this.  The reason i thought it
wasn't is because i was playin around a bit with the source, and i guess i
changed something that made it  not log them.  The other problem that
somebody else has brought to my attention about this version of iplogger
is that it does an ident for every connection made, so if one port scans
it with a spoofed address the logger is going to try and make XXXXX amount
of connections to the spoofed host.  and the host recieving all these
ident connections is going to think that the host running the iplogger is
trying to dos them or something.

-/- Matt Watson
    TeraHertz Communications Administrator
    For quality web space and shells checkout www.terahertz.net

On Wed, 21 Oct 1998, Matt Watson wrote:

> Hello, today i was wondering around sunsite and noticed a newer version of
> iplogger there:
> ftp://sunsite.unc.edu/pub/Linux/system/network/daemons/iplogger-ident-1.1.tar.gz
> Anyways i decided to take a look at the new code at the first thing that
> popped right out was:
>         while (1) {
>                 read(s, (struct ippkt *) &pkt, 9999);
>                 if (pkt.tcp.syn == 1 && pkt.tcp.ack == 0) {
>                         if (!fork()) { /* double fork()    */
>                                 if (!fork()) {  /* to avoid zombies */
>                                         openlog("tcplogd", 0, LOG_DAEMON);
>
>
> ^^ lines 34-39
> now then, that double fork... thats well uhm evil.  That has remote
> fork-bomb written all over it.  just load up your favorite port scanner
> and scan away and watch your machine fork like crazy!  Anyways just
> another comment on the new iplogger, it seems it only logs connections to
> ports which are not open? I dunno about everybody else but personally i'd
> rather know who is connecting to ports I do have open rather than who is
> trying to connect to ports i don't have open.  Anyways thats my 2 cents.
>
> -/- Matt Watson
>     TeraHertz Communications Administrator
>     For quality web space and shells checkout www.terahertz.net
>

Next message: pedwardat_private: "Re: License Manager's lockfiles (Solaris 2.5.1)"
Previous message: pedwardat_private: "Re: Netscape "What's Related""
Maybe in reply to: Matt Watson: "iplogger-1.1+ident"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:20:56 PDT