Bugtraq mailing list archives

iplogger-1.1+ident

From: sideshow () SATURN TERAHERTZ NET (Matt Watson)
Date: Wed, 21 Oct 1998 22:27:58 -0500


Hello, today i was wondering around sunsite and noticed a newer version of
iplogger there:
ftp://sunsite.unc.edu/pub/Linux/system/network/daemons/iplogger-ident-1.1.tar.gz
Anyways i decided to take a look at the new code at the first thing that
popped right out was:
        while (1) {
                read(s, (struct ippkt *) &pkt, 9999);
                if (pkt.tcp.syn == 1 && pkt.tcp.ack == 0) {
                        if (!fork()) { /* double fork()    */
                                if (!fork()) {  /* to avoid zombies */
                                        openlog("tcplogd", 0, LOG_DAEMON);


^^ lines 34-39
now then, that double fork... thats well uhm evil.  That has remote
fork-bomb written all over it.  just load up your favorite port scanner
and scan away and watch your machine fork like crazy!  Anyways just
another comment on the new iplogger, it seems it only logs connections to
ports which are not open? I dunno about everybody else but personally i'd
rather know who is connecting to ports I do have open rather than who is
trying to connect to ports i don't have open.  Anyways thats my 2 cents.

-/- Matt Watson
    TeraHertz Communications Administrator
    For quality web space and shells checkout www.terahertz.net

Current thread:

iplogger-1.1+ident Matt Watson (Oct 21)
- Re: iplogger-1.1+ident Matt Watson (Oct 23)
- <Possible follow-ups>
- Re: iplogger-1.1+ident Brian Mitchell (Oct 23)