Summary: "Finger logger- several questions"
Mark A Fontana
mfontana at eniac.seas.upenn.edu
Thu Apr 18 10:09:54 AEST 1991
Here's a quick summary of the mail I received concerning the finger
logging program. Unfortunately, nobody sent working programs. If
I do receive any that work particularly well, I'll post them.
- Mark Fontana
///////////////////////////////////////////////////////////////////////////
>From morrison at eniac.seas.upenn.edu
Subject: Re: How do you keep your background process alive?
[In response to my question on how to keep one's finger monitor running]
to keep it running all the time you have to know what is killing it.
Some one can kill it if they press ctl-C while it is sending out the information
through pipe. In order to prevent this you have to trap the broken pipe
signal that unix send your process. To do that you must include an interrupt
handler and install it. Look under "man 3v signal" for this information.
to keep it running when the system goes down I just put in my own cron entry.
just man cron to find out more about that. Basically cron runs jobs at a
specific time that you specify. My program tries to re-run itself every
night at 2:00am. It checks to see if it is already running and if it is then
the new copy quits. [filename] & is the correct way to run a program in the
background.
the easiest way to find out who is fingering you is to do a
ps -augx | grep "finger yourname" this will find all the people who
have run a finger process looking for you. There are problems with this
which I haven't worked out, like, if two people finger you at the same time,
what happens. you need the 'gx' to find that nasty nobody process that is
someone fingering you from off of eniac.
good luck!
-----------------------------------------------------------------------------
>From mrapple at quack.sac.ca.us Wed Apr 17 10:56:42 1991
From: Nick Sayer <nsayer at uop.uop.edu>
>if there is any way to determine the login name of a remote fingerer, or
>at least the name of the calling system.
The only way is to use RFC931 authentication. Under RFC931, you open a
TCP to the "auth" port on the remote machine, send the socket number on
both ends of the tcp stream you are asking about, (it knows who it is
and it knows who you are, so it has host and socket number for both
ends now), and it will pass back a user identification string and
close. There exists a libauthuser.a with routines to do this painlessly.
RFC931 is pretty easy to spoof, since it relies on the remote system
to provide authentication data. Also, not many sites provide RFC931.
I personally hope it gains acceptance. The auth port is 113. For
a demo, telnet uop.uop.edu 113, then stop telnet, use netstat to find
out the socket numbers, then send them on one line separated by a
comma. auth will cheerfully tell you who owns the stream on uop's
end (it's probably going to be root), then exit.
Finding the name of the other system is easy -- gethostbyaddr().
>Ultimately, I'd like to be able
>to fetch the full name of a remote user, ie. (Mark A Fontana), so that
>I could extend a customized greeting to foreign fingerers as well.
Well, you could take the auth data and the hostname, finger the other
end, and use the results, but if everyone did this, there'd be massive
looping problems.
---------------------------------------------------------------------------
>From shein at ferdowsi.berkeley.edu Fri Apr 12 18:52:44 1991
Subject: Re: Finger logger: several questions
Date: Fri, 12 Apr 91 15:52:06 -0700
I don't have any code to contribute -- the program I played around
with, I got from Noam Mendelson (c60b-1eq at web.berkeley.edu) who got
it from Andrew Choi (also at Berkeley, somewhere).
Getting the name of the machine finger'ing you is "easy": In the
setup I have (and probably most other finger monitors), .plan is
a FIFO, and when the finger daemon wants to read, a netstat -n is
done, and port 79 is grep'ed out. This gives the Internet address
of the machine. You would have to strip of the trailing .79; then
you can use the gethostbyaddr() call in C to get the name of the
finger machine. I haven't done this, since I came across another
problem:
When I run my program on my workstation (ferdowsi), and people
finger shein at ferdowsi, everything is great. When I'm fingered at
the server (shein at robotics), however, the finger command never
returns. I could run the program on the server instead, but then
fingering me at ferdowsi, or any other workstation in the cluster,
would never come back.
---------------------------------------------------------------------------
>From c60b-1eq at WEB.berkeley.edu Fri Apr 12 23:13:50 1991
Concerning your comp.unix.questions post:
You can test which host fingerd is responding to by doing a netstat -n
listing then searching for ".79 " (when a finger request is in progress).
I.e., in the finger logging program, add a system() call which executes
netstat -n and parse the output in your program.
If you don't have netstat -n and you aren't into monitoring TCP ports
on your own, then you're out of luck.
Again, as I posted in c.u.q, there is no way to find the login name of the
remote user. All you can do is guess by listing all of the users logged
in (hint: look at idle times). If you have access to the remote machine,
you could use ps, but then a finger request would take quite a while.
---------------------------------------------------------------------------
>From derge at paris.crd.ge.com Fri Apr 12 16:31:48 1991
There's really no general way to figure out the username of the person
who's fingering you unless they do it on your local machine, and even then you
can be a little uncertain if more than 1 finger process is running. This stems
from the fact that only the hostname can be determined directly from the
network
packet. So all you can really tell for sure from ps and netstat is the
hostname, if that.
Of course, your monitor program will also get a little confused if more
than one finger happens to be going on at once. The only way to combat this
would be to rewrite the finger daemon itself to send you mail when it gets a
connection (the daemon can tell what host the connection comes from). But even
then, you wouldn't know who did it, and you wouldn't be able to avoid this next
problem.
To make things a little more complicated, a tricky user on machine xxx
can always fool you by doing something like finger
mfontana at eniac@otherhost1 at otherhost2. What happens here is you get a chain of
fingers going from xxx to otherhost2 to otherhost1 to eniac. Unless you trace
that whole chain, you'll never find the person.
There are, however, a few things you might try that will help under the
right circumstances:
1. If you have an account on that remote machine, and your .rhosts is set up
properly, you can rsh a "ps -auxwwww | grep finger" to the remote machine, and
use that process information to figure out who's fingering you.
2. You could also just do something as simple as fingering @remote, and as long
as only one person is logged on, you know who it was.
Note, of course, that the above 2 methods do not follow the whole chain,
and are therefore rather suspect. The bottom line is that you can come close,
but you really can't ever be certain of who fingered you because of the finger
a at b@c at d thing. If I know you're watching me, I can always fool your program by
careful planning.
---------------------------------------------------------------------------
That's it.
More information about the Comp.unix.questions
mailing list