Nookie (trax@the-force.ml.org)

Don't get mad, get even.  Here's a way to log all those
incoming nukes to the local console:

[1] Compile your own nookie.c
[2] Edit your /etc/inetd.conf
[3] Test

[1] Compile your own nookie.c

/* start nookie.c */

/* Nookie (trax@the-force.ml.org) */

#include <fcntl.h>

void main()
{
  char *message="Nuke received from ";
  /* we want the message on tty? */
  int fd=open("/dev/tty1",O_WRONLY);
  write(fd,message,strlen(message));
  close(fd);
  /* edit line below to return IP */
  system("tail -n 1 /var/log/daemon.log | cut -d ' ' -f 8 > /dev/tty1");
  /* or if you feel kinda mean, insert a system line here that nukes the
     sucker right back */     
}

/* end nookie.c */

Remember that some systems have different log names/formats, so make sure
the line marked with "edit line below" does correctly return the IP
address of the last system connect.

Now compile this and put it somewhere in your system path (/usr/local/bin
is always a good idea).

[2] Edit your inetd.conf

Insert the following line into /etc/inetd.conf.  HOWEVER, make
sure you arn't running another service on port 139!

netbios-ssn stream tcp nowait user /usr/sbin/tcpd /usr/sbin/nookie

Now, edit the following parts:

Change "user" into your user normally logged into tty1.  Putting
root in there will always work, but I am not sure of the security
problems that might arrive with it.

Also correct the path to your nookie binary.

Save, and run

killall -HUP inetd

which just reloads inetd.

[3] Test

To fake a nuke-connect, do the following:

telnet localhost 139

On tty1 you should see a message similar too:

Nuke received from 127.0.0.1

#--------------------------------------------------------------------#

As I said before, I am not sure what security implications
this program might have on your system.  Normally, I don't mess
around with daemons.  I would appreciate it if someone could
inform me of any exploits etc.

Happy Anti-Nooking!
