Re: Is there user Anna at your host ?

[Josha Bronson <dmuz () slartibartfast angrypacket com>]

On Wed, Sep 12, 2001 at 06:17:41PM +0400, Alexander A. Kelner said:
> So, he can easy discover if user "anna" exists at your UNIX,
> and try to play with her password, or send her spam etc.

First off it looks like this was mentioned here:
http://archives.neohapsis.com/archives/vuln-dev/2000-q3/0094.html

> This approach allows him get nesessary info instead of disabled
> VRFY feature in your Sendmail !
>
> Apache works quickly and IMHO doesnt provide any responce delays
> for any kind of result code. So bad boy can check 1000 different
> names for very short time !

This will indeed allow you to enumerate usernames on systems that have
this feature enabled. The obvious solution is to disable this feature by
changing "UserDir public_html" (or whatever) to "UserDir disabled".
However that might not be an option in many cases.

> Sorry if I'm wrong, or this is something trivial.

Wrong? No. Trivial? Up in the air. Enumeration of user names is
definitely an important step in attacking a system, but just a username
is not going to get you very much. Also, there are a number of other
methods that could be used, like searching for '@domain.tld', VRFY in
sendmail (as you mentioned) or good old fashion finger (yes a lot of
people still run fingerd).

If you are paranoid like me, then disable it. Or just run OpenBSD, which
disables it by default.

-- 
josha.bronson(aka->dmuz) >> dmuz () angrypacket com
networks/systems/security && CCNA, RHCE 
josha.net || dmuz.angrypacket.com