[Snort-sigs] SID 321
anton at ...1177...
Thu Jan 16 07:59:38 EST 2003
Jim and all,
>I was messing around with this signature a little... I had access to an
>unpatched Solaris 2.6 box. It would appear that any string with a space
Hmm, looks like all the boxes round here are patched... I vaguely remember
trying this thing long time ago with different strings with similar
>in the finger request would enumerate a partial list of users, not just
>"a b c d e f"@somehost. I also found that a string like "234567" would
>enumerate a partial list of users as well.
Ooh! That works even on boxes where the 'a b c ' fails. He-he, a better
sig is definitely needed:
$ finger 234567 at ...1187...
Login Name TTY Idle When Where
daemon ??? < . . . . >
bin ??? < . . . . >
sys ??? < . . . . >
test ??? pts/3 <Dec 20 11:14> 10.10.10.11
Anton A. Chuvakin, Ph.D., GCIA
More information about the Snort-sigs