Re: Nmap and xlogmaster

[Erik Parker <netmask () 303 org>]

Yes, Another thing, would be the fact the program could loop as well. I
have seen many boxes that turn around and portscan ALL attempts to them.
That would loop our boxes together in a second, and take us both down. 

I am not a programmer, I am learning C, but fyodor knows his shit pretty
well, but even the best make mistakes. It is getting bigger, and I am sure
we will see bugs to come.

On Thu, 28 Jan 1999, Lamont Granquist wrote:

> it would also be a good idea to put this into a script and have it choke
> the number of scans it will do based both on how often it scans a
> particular machine and how often it issues scans to any machines.  that
> way you don't get used by a spoofer to DoS someone else via using your
> machine as a "bandwidth multiplier."  it should of course log the fact
> that it is choking, and it should be careful not to fill your disk up.
>
> also, i'm a little bit worried that nmap is getting to be a large and
> complicated program and may have exploitable security holes in it.  when
> doing booby-traps like this you always have to consider that someone may
> attack you by setting off the booby-trap and then supplying the program
> with, say, a buffer overflow which will compromise your security.  this is
> why tcp_wrappers ships with the safe_finger program for you to use in
> booby-traps since it has likely undergone a better security audit than the
> finger program on your machine.
>
> On Thu, 28 Jan 1999, Max Vision wrote:
> > On Thu, 28 Jan 1999, Erik Parker wrote:
> > > So.. Using xlogmaster, anytime it see's "ssh connection attempt" it
> > > executes /root/program
> > >
> > > /root/program contains:
> > >
> > > tail /var/log/messages | grep -i "ssh connection attempt from" |awk
> > > '{print $10}'|xargs nmap -O >> /root/nmaplog
> >
> > First to answer your questions, to get the actual fingerprint use -d.  As
> > for the append option, use >>.
> >
> > Now to address your "/root/program" script... there are several problems
> > that I would hate to see you run into.  What if there are, say, five
> > connections to your ssh port, each right after the other, thus fitting
> > into the last ten lines of /var/log/messages (which is what tail grabs by
> > default).  This would cause your program, on the fifth catch, to have
> > run a full portscan against a host(s) 15 times.
> > Not that I would condone the use of your script above, but one way to at
> > least limit scanning to just one host would be to change it to:
> > tail /var/log/messages |grep -i "ssh connection atte"|awk '{print $10}'|\
> > tail -1|xargs nmap -O -sS -p 22,25,53,80,139 >> /root/nmaplog
> >
> > Note that I also suggest adding a port range since that will catch and ID
> > like 99% of the hosts out there.
> >
> > Good luck!
> > Max
>
> -- 
> Lamont Granquist                       lamontg () raven genome washington edu
> Dept. of Molecular Biotechnology       (206)616-5735  fax: (206)685-7344
> Box 352145 / University of Washington / Seattle, WA 98195
> PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka


Erik Parker
netmask () 303 org

http://radio.cuervocon.org/ramgen/encoder/live.rm
Real Audio G2 - Wednesday Nights 10pm-2am CST.
"Signals from Dementia" - By Dj-Netmask
Industrial / Hard Rock / Techno / Psycho Stories