[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Security Updates 04/05/2001

Subject: [cobalt-security] Security Updates 04/05/2001
From: "Jay Fesco" <jay@xxxxxxxxxxxx>
Date: Mon, 9 Apr 2001 08:47:41 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

I signed up for this list in hopes that I would receive immediate
notification when critical updates were made available for Cobalt products -
apparently this is not the case...

SOOoooo....

List Members: On April 5, 2001, 2 updates were posted for the Raq3 (one
Security, one RPM upgrade).  I recommend that you review them.

Jay Fesco

-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of
cobalt-security-request@xxxxxxxxxxxxxxx
Sent: Sunday, April 08, 2001 3:25 PM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: cobalt-security digest, Vol 1 #297 - 2 msgs
Importance: High


Send cobalt-security mailing list submissions to
	cobalt-security@xxxxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
	http://list.cobalt.com/mailman/listinfo/cobalt-security
or, via email, send a message with subject or body 'help' to
	cobalt-security-request@xxxxxxxxxxxxxxx

You can reach the person managing the list at
	cobalt-security-admin@xxxxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of cobalt-security digest..."


Today's Topics:

   1. Re: Odd log code, Hack attempt? (Paul Gillingwater)
   2. Re: Portsentry  - IP chains eta al (Revd leonard payne)

--__--__--

Message: 1
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] Odd log code, Hack attempt?
Date: Sun, 08 Apr 2001 08:27:28 +0200 (CEST)
From: Paul Gillingwater <paul@xxxxxxxxxxx>
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

Quoting Rodrigo Velasco <rvelasco@xxxxxxx>:

> Hi again,
>
> I've found the following lines in my last log from my Cobalt4i, I don't
> really know if it means something important, but looks to me how
> somebody
> was trying to use a sort of script on my server:
>
> ns.mydomain.com 207.175.129.160 - - [07/Apr/2001:06:50:01 -0400] "GET
>
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/wi
> nnt/system32/cmd.exe?/c%20dir HTTP/1.0" 302 308 "-" "-"
> ns2.mydomain.com 207.175.129.160 - - [07/Apr/2001:06:50:01 -0400] "GET
>
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/wi
> nnt/system32/cmd.exe?/c%20dir HTTP/1.0" 302 308 "-" "-"
> www.customer.com 207.175.129.160 - - [07/Apr/2001:06:50:01 -0400] "GET
>
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/wi
> nnt/system32/cmd.exe?/c%20dir HTTP/1.0" 302 310 "-" "-"

> I'll appreciate if anybody of you could tell me what does it mean and
> what
> could I do to avoid risk my server.

This is an attempt to exploit a standard known vulnerability on Windows IIS
servers.  Some script kiddie is trying to crack your box, but is too stupid
to
know the difference between IIS and Apache.

As long as you keep up with the security patches, you should be fine.  And
of
course, running Linux is a good way to avoid Windows NT attacks.  :-)

*********************************
        Paul Gillingwater
        Managing Director
 CSO Lanifex Unternehmensberatung
 & Softwareentwicklung G.m.b.H.
      NEW BUSINESS CONCEPTS

E-mail:  paul@xxxxxxxxxxx
Mobile:  +43/699/1922 3085
Webhome: http://www.lanifex.com
Address: Praterstrasse 60/1/2
         A-1020 Vienna, Austria
*********************************

--__--__--

Message: 2
Date: Sun, 08 Apr 2001 08:01:04 +0100
From: Revd leonard payne <vicarage@xxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: [cobalt-security] Re: Portsentry  - IP chains eta al
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

on 7/4/01 8:07 pm, Carrie .. (my white chocolate lady --- )

> I've noticed a slight slow-down in FTP transfer speed since I put the
> ipchains and 'really anal' rule into effect. Nothing major, but enough
> to make *me* notice. I'm wondering if taking 137 out of the config
> would beef that back up a little. You think?

I doubt it - It takes a nanosecond or two to react to the scan - I
personally havent worried when I was scanning - I have now removed it. I
must admit that I'm only an amateur but it seems that if you can ensure
there are no services running on the port then don't bother monitoring it
anyway.

Also - I understood that if I needed to reallow some IP's, I just needed to
delete them from the Hosts.deny file. Is this not so? Is there more work to
be done?

Meantime - Can anyone advise , on or offlist, how IP chains were configured.

--

Lovely to see your signature again Carrie

Blessings
revd Leonard



--__--__--

_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security


End of cobalt-security Digest

Follow-Ups:
- RE: [cobalt-security] Security Updates 04/05/2001
  - From: Joe Llewelyn
- [cobalt-security] POP before SMTP
  - From: Joe Llewelyn
- Re: [cobalt-security] Security Updates 04/05/2001
  - From: Joe Quinn

Prev by Date: Re: IPchains Rules - was Re: [cobalt-security] Portsentry & UDP ports
Next by Date: RE: [cobalt-security] Security Updates 04/05/2001
Previous by thread: [cobalt-security] Re: Portsentry - IP chains eta al
Next by thread: RE: [cobalt-security] Security Updates 04/05/2001

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index