[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Security Updates 04/05/2001
- Subject: RE: [cobalt-security] Security Updates 04/05/2001
- From: "Support" <support@xxxxxxxxxxxxxxxxxx>
- Date: Mon, 9 Apr 2001 14:15:27 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Well ... same thing for us.
try using the following script... it works well.
--------cut here-----------
#!/usr/bin/perl
# alert_cobalt - find if an url has been changed since last time
# no the best perl you've ever seen but hey what's the hell it works !
# No copyright, no support, no warranties, no problem :-)
use LWP;
$url = 'http://www.cobalt.com/support/download/raq3.eng.html';
$myfile = '/home/cobalt.txt';
$newfileURL = get_and_read_url($url);
if ($newfileURL ne '') {
## compare to file on disk
$oldfileURL = get_and_read_url('file:/'.$myfile);
if ($oldfileURL eq '') {
## if we can't get the file, create one
open(FH, "> $myfile");
print FH $newfileURL;
close(FH);
}
if ($oldfileURL ne $newfileURL) {
## if URL has changed since last time then send email
## and update the file content
send_email();
open(FH, "> $myfile");
print FH $newfileURL;
close(FH);
}
exit;
}
sub send_email()
{
my $support = 'xxx@xxxxxxx';
open(MAIL, "|/usr/lib/sendmail -t") or die ('cant fork the mail $!');
print MAIL "To: $support\n";
print MAIL "From: Alert from Cobalt <$support>\n";
print MAIL "Subject: Alert from Cobalt patch updates\n\n";
print MAIL
"---------------------\n",
"Page has changed:\n",
"$url\n",
"\n-------------------------\n";
close(MAIL);
}
sub get_and_read_url()
{
my ($url) = @_;
my ($user_agent) = new LWP::UserAgent;
my $req = new HTTP::Request GET => $url;
my $res = $user_agent->request($req);
if ($res->is_success) {
return $res->content;
} else {
return '';
}
}
--------cut here-----------
> -----Original Message-----
> From: cobalt-security-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Joe Llewelyn
> Sent: 09 April 2001 13:52
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: RE: [cobalt-security] Security Updates 04/05/2001
>
>
> I found exactly the same thing - joined here as I've no time to check that
> site every hour of the day..
>
> No warning of the latest PKG.
>
> Rgds..
>
> -----Original Message-----
> From: cobalt-security-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Jay Fesco
> Sent: 09 April 2001 13:48
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: [cobalt-security] Security Updates 04/05/2001
>
>
> I signed up for this list in hopes that I would receive immediate
> notification when critical updates were made available for Cobalt
> products -
> apparently this is not the case...
>
> SOOoooo....
>
> List Members: On April 5, 2001, 2 updates were posted for the Raq3 (one
> Security, one RPM upgrade). I recommend that you review them.
>
> Jay Fesco
>
> -----Original Message-----
> From: cobalt-security-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of
> cobalt-security-request@xxxxxxxxxxxxxxx
> Sent: Sunday, April 08, 2001 3:25 PM
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: cobalt-security digest, Vol 1 #297 - 2 msgs
> Importance: High
>
>
> Send cobalt-security mailing list submissions to
> cobalt-security@xxxxxxxxxxxxxxx
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://list.cobalt.com/mailman/listinfo/cobalt-security
> or, via email, send a message with subject or body 'help' to
> cobalt-security-request@xxxxxxxxxxxxxxx
>
> You can reach the person managing the list at
> cobalt-security-admin@xxxxxxxxxxxxxxx
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cobalt-security digest..."
>
>
> Today's Topics:
>
> 1. Re: Odd log code, Hack attempt? (Paul Gillingwater)
> 2. Re: Portsentry - IP chains eta al (Revd leonard payne)
>
> --__--__--
>
> Message: 1
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: Re: [cobalt-security] Odd log code, Hack attempt?
> Date: Sun, 08 Apr 2001 08:27:28 +0200 (CEST)
> From: Paul Gillingwater <paul@xxxxxxxxxxx>
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> Quoting Rodrigo Velasco <rvelasco@xxxxxxx>:
>
> > Hi again,
> >
> > I've found the following lines in my last log from my Cobalt4i, I don't
> > really know if it means something important, but looks to me how
> > somebody
> > was trying to use a sort of script on my server:
> >
> > ns.mydomain.com 207.175.129.160 - - [07/Apr/2001:06:50:01 -0400] "GET
> >
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af.
> .%c0%af/wi
> > nnt/system32/cmd.exe?/c%20dir HTTP/1.0" 302 308 "-" "-"
> > ns2.mydomain.com 207.175.129.160 - - [07/Apr/2001:06:50:01 -0400] "GET
> >
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af.
> .%c0%af/wi
> > nnt/system32/cmd.exe?/c%20dir HTTP/1.0" 302 308 "-" "-"
> > www.customer.com 207.175.129.160 - - [07/Apr/2001:06:50:01 -0400] "GET
> >
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af.
> .%c0%af/wi
> > nnt/system32/cmd.exe?/c%20dir HTTP/1.0" 302 310 "-" "-"
>
> > I'll appreciate if anybody of you could tell me what does it mean and
> > what
> > could I do to avoid risk my server.
>
> This is an attempt to exploit a standard known vulnerability on
> Windows IIS
> servers. Some script kiddie is trying to crack your box, but is
> too stupid
> to
> know the difference between IIS and Apache.
>
> As long as you keep up with the security patches, you should be fine. And
> of
> course, running Linux is a good way to avoid Windows NT attacks. :-)
>
> *********************************
> Paul Gillingwater
> Managing Director
> CSO Lanifex Unternehmensberatung
> & Softwareentwicklung G.m.b.H.
> NEW BUSINESS CONCEPTS
>
> E-mail: paul@xxxxxxxxxxx
> Mobile: +43/699/1922 3085
> Webhome: http://www.lanifex.com
> Address: Praterstrasse 60/1/2
> A-1020 Vienna, Austria
> *********************************
>
> --__--__--
>
> Message: 2
> Date: Sun, 08 Apr 2001 08:01:04 +0100
> From: Revd leonard payne <vicarage@xxxxxxxxxxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Subject: [cobalt-security] Re: Portsentry - IP chains eta al
> Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> on 7/4/01 8:07 pm, Carrie .. (my white chocolate lady --- )
>
> > I've noticed a slight slow-down in FTP transfer speed since I put the
> > ipchains and 'really anal' rule into effect. Nothing major, but enough
> > to make *me* notice. I'm wondering if taking 137 out of the config
> > would beef that back up a little. You think?
>
> I doubt it - It takes a nanosecond or two to react to the scan - I
> personally havent worried when I was scanning - I have now removed it. I
> must admit that I'm only an amateur but it seems that if you can ensure
> there are no services running on the port then don't bother monitoring it
> anyway.
>
> Also - I understood that if I needed to reallow some IP's, I just
> needed to
> delete them from the Hosts.deny file. Is this not so? Is there
> more work to
> be done?
>
> Meantime - Can anyone advise , on or offlist, how IP chains were
> configured.
>
> --
>
> Lovely to see your signature again Carrie
>
> Blessings
> revd Leonard
>
>
>
> --__--__--
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>
> End of cobalt-security Digest
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>