On Thu, 16 May 1996, Dave Dittrich wrote: > The trick, as I learned it, was to use @@XXX.com on Ultrix systems. > After a quick test, I notice that single letters and "." don't work on > Ultrix, but any digit or "@" does. Go figure. Probably some Berkeley > student had a hangover the day they coded finger? Well, the normal finger program will finger @localhost if you specify simply: finger @ so when you do, for example: finger @@foo.bar.com foo.bar.com will receive the finger with the data "@" and then proceed to finger itself (localhost). A simple denial of service attack is to do: finger @@@@@@@@@@@@@@@@@@[...]@@@foo.bar.com You can imagine what this will cause... :-) I trivial fix is to look for an '@' sign in the sent string (in in.fingerd) and deny the finger. -Taner -------------------------=[ D. Taner Halicioglu ]=---------------------------- taner@sdsc.edu The San Diego Supercomputer Center, Workstation Services taner@ucsd.edu U. of California, San Diego - Revelle - Computer Sci. IRC Admin for irc.sdsc.edu/irc.ucsd.edu/irc.cerf.net taner@mecca.epri.com EPRI - 3412 Hillview Ave, Palo Alto, CA -------------=[ Linux 1.3.* OS - http://www.sdsc.edu/~taner/ ]=---------------