Re: report finger gives long list of users

[Jens Hektor <hektor () RZ RWTH-AACHEN DE>]

John Galt schrieb:
> That's one WEIRD parse.  [0-9] should not return true for "sam".  I'd
> suggest that the actual thing is that the kiddie (or one of their friends)
> has a penchant for r00t users with numerical usernames to "hide".  Numeric
> usernames are also common in FTP: perhaps they were looking for a ftpd
> 'sploit?

No. They did a brute force login attack with password = login.

> If it does as you say, it's documented in the protocol.  RFC 1288 section
> 3.2.6.

:-) Alright.

Actually, the good old finger forwarding 'feature' ist still possible
with Suns and it's well documented in the manual page.

Finally: SUN has assigned a bugid (4298915:'in.fingerd can store a NULL
after end of an array on the stack') for the described problem and stated
that they are working on a patch for all affected versions.

Bye, Jens Hektor

--
Jens Hektor, RWTH Aachen, Rechenzentrum, Seffenter Weg 23, 52074 Aachen
Computing Center Technical University Aachen, firewalls/network security
mailto:hektor () RZ RWTH-Aachen DE, Tel.: +49 241 80 4866, Raum: 2.35
Private: Rochusstr. 26, D52062 Aachen, Fon: +49 241 29888, Fax: % 29889