Re: flash

[dsiebert () icaen uiowa edu (Doug Siebert)]

> > and there's already programs written for spoofing syslogd messages so
> > it appears the message came from anywhere from anyone with any type of
> > garbage.



Darren Reed <avalon () coombs anu edu au> replies with:


> host# cat > bind.c <<_EOF_
> #include <sys/types.h>
> #include <netinet/in.h>
> #include <sys/socket.h>
> #include <sys/syscall.h>

> int bind(fd, sk, sl)
> int fd, sl;
> struct sockaddr_in *sk;
> {
>       if (sk->sin_family == AF_INET) sk->sin_addr.s_addr = 0x7f000001;
>       return syscall(SYS_bind, fd, sk, sl);
> }
> _EOF_
> host# cc -O -pic bind.c
> host# ld -assert pure-text bind.o -ldl
> host# mv a.out libbind.o
> host# setenv LD_PRELOAD libbind.o
> host# syslogd
> host# unsetenv LD_PRELOAD

> That should cover it, no ?

> Restricts syslogd to the local machine, but that is the desired effect in
> the short term with no form of authetication, etc being in the protocol.

> Either that or get a freeware syslogd from netbsd or whoever, hack and
> compile that.  Still is a problem if you like using "loghost".  Any more
> ideas on solving that in the short term ?

> darren
> p.s. I wrote that just now to give ppl an idea for a solution, if it actually
>     works, it's a bonus :)




I'm not sure if this is true on all systems, but I know on HP-UX if you comment
out the "syslog" line in /etc/services it won't bind the UDP socket to listen
on at all, which would have the same effect with less hassle.  And it is likely
to be more portable than the SunOS hack, since most versions of syslog would
be likely to do a getservbyname("syslog").


Doug Siebert
dsiebert () isca uiowa edu