Playing With Your Fingers
by Shidoshi
Seems that a lot of people are asking questions about backfingering people over the Internet who have been Finger'ing them. I hope to explore the different options available to you in this article, and while not divulging much source code, at least offer a few ideas that should give the true explorer hardly any trouble developing a safe and efficient "backfinger" device.
What's the point?
Well, you probably have been "exploring" a few systems lately and have no doubt caught the attention of the system administrator's eye (or one of his staff...), that is, if he cares. You should have absolutely no doubt that if you've been Telnet'ing to port 25 of the same box frequently, that the sysadmin has been looking at your trail. In my case, I get Finger'd by sysadmins that I don't even know, but they keep checking the wrong account... like I'd really do anything from my university account. Another good thing about logging Finger requests - it teaches a very important part of UNIX education, that being socket programming. If you don't know how to handle sockets under your UNIX then you're wasting your time and should go pull out the Commodore and go back to writing "cute" BASIC programs.
Most people who want to Finger log only want to impress their friends, whereas others have a serious need to know who's been scratching at their windows. I hope you both can find something of value here. The first thing you need to be conscious of is process time and cost. Always remember that unless you're running your own 386BSD, Linux, or equivalent box you are on a times-haring system, and your system administrator will notice anything that is too process-intensive and will kill it and disable the file. I'll start with the worst ways (that aren't really effective anyway) of logging Finger requests and move on up to something that, with a little thought, could give you more power than you asked for. Hell, I'm using Emacs,so I'll even throw in some examples along the way.
Really Bad Things to Type
So let's say you just bought your first UNIX book, or you've just read a few man pages and you're ready to rumble with some commands you've learned about. What are some really stupid things you might do? (Note: These examples are all tested under SunOS 4.1.3 and may or may not work for you, so don't swear by them.)
Let's say you've got the ability to use a .fingerrc file (which executes any script you give it upon your being Finger'd) that contains something like this:
Why this is just plain stupid:
1.) The w command (what) is probably the most process-intensive thing you can run as it checks utmp for every single thing that every single person logged on is doing just to look for your stupid name.
2.) It will only log people on your home server.
3.) You won't accomplish much at 4 pm when the load is 34.43 and your friend decides to write a Perl script to finger you 1000 times.
This is just plain nauseating, and it's all too obvious that you're doing it (remember, people do not usually like to know someone is recording what they're doing.)
This also costs way too much in process time to be practical for anyone. The w, ps, and netstat commands could all be used for trying to impracticably log Finger requests (read the man pages to see what they do) and usually are used by folks who don't really know what UNIX is all about. What you have to remember is that UNIX is an operating system built around itself and that anything that can be done in one way can be reproduced in another or reused (hence the term Widget for you X Windows hackers).
You really should get to know the apropos command if you don't already. It'll help you when you're trying to think of new things to try, but aren't quite sure of what to look for. No sysadmin or local guru (unless you're his/her good friend) is going to explain this to you (but you already know that... you've been hacking for a while, right?).
Check this out:
This will give you a lot of information, and, yes, you should go and read about all you can. One thing it won't tell you about is ident, and other "superuser" commands. These commands are very useful in logging almost everything that happens on the system. If you're running your own box you already know this, but if you're a newbie to the world of TCP/IP identification, you probably had no idea that this daemon was running and telling the system administrators where you've been Telnet'ing, Finger'ing, logging in, and sending URL requests. Like I said, I won't get in to the specifics of good logging, but you can be assured that the forbidden commands (forbidden because, if used wrong, they could bring the system down very, very fast) will be extremely advantageous in finding out who's who.
If I were just starting out, I would definitely want to get a look at the code of a good "wrapper" program that already logs everything efficiently. If you've seen TCP Wrapper working, then you know what I mean. If you're running a .fingerrc then you should have absolutely no problem running efficiently written source when someone Fingers you. Of course, if you don't want to copy lots of code, it's a Good Thing™ if you can become root, but that's for you to hack out on your own.
Added Bonus
"Exploring" your .fingerrc
If you've been running your .fingerrc for a while, then you no doubt have discovered, or at least thought about different things you might try. Some stuff that I've done or seen done have ranged from juvenile all the way up to brilliant. Finger logging definitely covers that entire spectrum. One very juvenile thing to do is to have your .fingerrc Finger someone else when you are Finger'd. This will get you in trouble, of course, if the person you Finger decides to drop a line in his or her .fingerrc that Fingers you. The sysadmin won't like that one bit, trust me.
Another neat thing to do is to try and inadvertently run interactive shells. This is nearly as difficult as it sounds, but if you think about it really hard, and what the .fingerrc is doing, some things begin to come to light. Also, having your .fingerrc open up Telnet sessions is a Bad Thing™ too.
I once had mine do something like telnet eniac.seas.upenn.edu 19 whenever I was Finger'd (if you didn't know, that's the character generation port used for print testing, it scrolls lots of neat alphanumeric characters for as long as root lets it run). Other process-intensive things that run as you or root (that's simply up to you) can do destructive things, and of course you can always plead innocent with the old line of: "Hey, I didn't know it was going to do that." But, when your sysadmin starts calling you by your real name, it's probably time to lay off.
I know that I've been talking almost exclusively about people who support the .fingerrc file on their system, but unless you are brand spanking new to UNIX, you should know that you can also do much of this by using the ln command. I'll let you read the man pages on that one if you don't know what it does (and if you don't, shame shame!).
One final note: Try to remember while you're looking around your system and also creating your own files, that things that execute with your UID should never be world writable, especially if it's one of those rc files.
Something I often find on my system is a .fingerrc written by a novice who thinks that it has to be world writable to be executed. You old pros can probably already guess the damage that could be caused if someone were to do a:
and then Finger the person... whoa buddy.
Have fun, and happy hacking.