[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] RE: cobalt-security digest, Vol 1 #377 - 20 msgs

Subject: [cobalt-security] RE: cobalt-security digest, Vol 1 #377 - 20 msgs
From: "Philipp Esselbach" <ple@xxxxxxx>
Date: Tue, 12 Jun 2001 22:37:13 +0200
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of
cobalt-security-request@xxxxxxxxxxxxxxx
Sent: Tuesday, June 12, 2001 1:20 PM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: cobalt-security digest, Vol 1 #377 - 20 msgs


Send cobalt-security mailing list submissions to
	cobalt-security@xxxxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
	http://list.cobalt.com/mailman/listinfo/cobalt-security
or, via email, send a message with subject or body 'help' to
	cobalt-security-request@xxxxxxxxxxxxxxx

You can reach the person managing the list at
	cobalt-security-admin@xxxxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of cobalt-security digest..."


Today's Topics:

   1. RE: Come DownUnder and get a RaQ4 StoreSense for US$49 (AU$99)/mth OR
own the server outright $149/month - 1 year  - incs colocation + Unlimited
Data Output (Tony)
   2. RE: Come DownUnder and get a RaQ4 StoreSense
       for US$49 (AU$99)/mth OR own the server outright $149/month - 1
ear  -
       incs colocation + Unlimited Data Output (WebHost Mail Center)
   3. RE: OT - Come DownUnder and get a RaQ4 [...] (Francois Thomas)
   4. RaQ4-All-Security Release 1.0.2-5-9769 (Achieve Website Design)
   5. RE: Come DownUnder and get a RaQ4 StoreSense
       for US$49 (AU$99)/mth OR own the server outright $149/month - 1 year
       - incs colocation + Unlimited Data Output (Hostmaster)
   6. AW: [cobalt-security] RaQ4-All-Security Release 1.0.2-5-9769 (Rob van
Eijk)
   7. Re: profile of a bind worm (Kevin D)
   8. Re: RaQ4-All-Security Release 1.0.2-5-9769 (MikeM)
   9. RE: Come DownUnder and get a RaQ4 SPAMMING ! (Vachon, Scott)
  10. Re: Come DownUnder and get a RaQ4 SPAMMING ! (Kevin D)
  11. Re: RaQ4-All-Security Release 1.0.2-5-9769 (Alex Collins)
  12. RE: profile of a bind worm (Jabie Gray)
  13. Re: RaQ4-All-Security Release 1.0.2-5-9769 (MikeM)
  14. Re: profile of a bind worm (Kevin D)
  15. Re: profile of a bind worm (Lawrence Frewin of Accommodation.com)
  16. RE: profile of a bind worm (shimi)

--__--__--

Message: 1
From: "Tony" <isplists@xxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: RE: [cobalt-security] Come DownUnder and get a RaQ4 StoreSense for
US$49 (AU$99)/mth OR own the server outright $149/month - 1 year  - incs
colocation + Unlimited Data Output
Date: Mon, 11 Jun 2001 22:34:51 -0500
Reply-To: cobalt-security@xxxxxxxxxxxxxxx


>
>Hello All,
>
>We wanted to announce this offer to the Cobalt community before we
>announce it to the press and other news outlets.  We think we have
>
Nice spam but I prefer my spam with eggs over easy and a lot of ketchup.
Don't forget to tell everyone about the $500 a month in minimum store
licenses that Kurant will hit them for.

--__--__--

Message: 2
Date: Tue, 12 Jun 2001 15:00:51 +1000
To: cobalt-security@xxxxxxxxxxxxxxx
From: WebHost Mail Center <mail@xxxxxxxxxxxxxx>
Subject: RE: [cobalt-security] Come DownUnder and get a RaQ4 StoreSense
 for US$49 (AU$99)/mth OR own the server outright $149/month - 1 year  -
 incs colocation + Unlimited Data Output
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

Hi Tony,

Thanks for the reply.  Sorry my spam offended you, and anyone else on
the list who took offense, it wasn't meant to.  Some people were
interested so I took a risk.

Since you mentioned StoreSense I though I would clarify that point
too.  The min licensing fee might be true in the US, but here in
Australia there is NO minimum store licensing fee charged by
StoreSense Australia - http://www.storesense.com.au  You get the Site
Store and the Retroactive Demo Store free, and you only pay for
additional stores you open up, which presumably you have on sold to
customers.

Thank you for your comments I take them in the spirit they were intended.

Kind regards,


Tim Rignold
Dedicated Servers Australia
http://www.dedicatedservers.com.au



>  >
>>Hello All,
>>
>>We wanted to announce this offer to the Cobalt community before we
>>announce it to the press and other news outlets.  We think we have
>>
>Nice spam but I prefer my spam with eggs over easy and a lot of ketchup.
>Don't forget to tell everyone about the $500 a month in minimum store
>licenses that Kurant will hit them for.
>_______________________________________________
>cobalt-security mailing list
>cobalt-security@xxxxxxxxxxxxxxx
>http://list.cobalt.com/mailman/listinfo/cobalt-security


--
_____________________________________________________________

Dedicated Servers Australia - BRISBANE   Telephone + 61 7 3831 9111
80 Berry Street                          Facsimile + 61 7 3839 5442
Spring Hill Queensland                  mailto:sales@xxxxxxxxxxxxxxxxxxxxxxx
AUSTRALIA 4000                       http://www.dedicatedservers.com.au

A WEBHOST COMPANY - PROUDLY 100% AUSTRALIAN OWNED
_____________________________________________________________
The information in this email is confidential. It is intended solely
for the addressee(s). Access, copying or re-use of the information by
anyone else is unauthorised. If you are not the intended recipient,
any disclosure, copying, distribution or any action taken or omitted
to be taken in reliance on it, is prohibited and may be unlawful.
_____________________________________________________________

--__--__--

Message: 3
From: Francois Thomas <FrancoisT@xxxxxxxxxxxx>
To: "'cobalt-security@xxxxxxxxxxxxxxx'" <cobalt-security@xxxxxxxxxxxxxxx>
Subject: RE: [cobalt-security] OT - Come DownUnder and get a RaQ4 [...]
Date: Tue, 12 Jun 2001 10:51:57 +0200
Reply-To: cobalt-security@xxxxxxxxxxxxxxx



> -----Message d'origine-----
> De : WebHost Mail Center [mailto:mail@xxxxxxxxxxxxxx]
> Envoyé : mar. 12 juin 2001 07:01
> À : cobalt-security@xxxxxxxxxxxxxxx
> Objet : RE: [cobalt-security] Come DownUnder and get a RaQ4 StoreSense
> for US$49 (AU$99)/mth OR own the server outright $149/month - 1 year -
> incs colocation + Unlimited Data Output
>
>
> Hi Tony,
>
> Thanks for the reply.  Sorry my spam offended you, and anyone else on
> the list who took offense, it wasn't meant to.  Some people were
> interested so I took a risk.

Please remember for the future that people here are interested by COBALT
SECURITY, and nothing else.

>
> Since you mentioned StoreSense I though I would clarify that point
> too.

Please remember for the future that people here have nothing to do with your
commercial matters.
I would be pleased to see this thread's end ASAP, and I'm sure I'm not the
only one.
Sorry for this noise.
Regards
François

--__--__--

Message: 4
From: "Achieve Website Design" <info@xxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Date: Tue, 12 Jun 2001 10:08:30 +0100
Subject: [cobalt-security] RaQ4-All-Security Release 1.0.2-5-9769
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

Hello,
Ever since I installed the above package on May 24, my web stats have
stopped working correctly. The stats on the Site Usage feature on the Raq do
not get cleared each day, and what I have now are logs from May 24. I'm
concerned in so far as that if this continues I will end up with very large
log files. Has anyone else encountered this problem.
Thanks,
Declan Connolly.



--__--__--

Message: 5
Date: Tue, 12 Jun 2001 17:43:59 +0800
To: cobalt-security@xxxxxxxxxxxxxxx
From: Hostmaster <tsbn2@xxxxxxxxxxxxxxxx>
Subject: RE: [cobalt-security] Come DownUnder and get a RaQ4 StoreSense
  for US$49 (AU$99)/mth OR own the server outright $149/month - 1 year
  - incs colocation + Unlimited Data Output
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

At 03:00 PM 12/06/2001 +1000, you wrote:
>Thanks for the reply.  Sorry my spam offended you, and anyone else on the
>list who took offense, it wasn't meant to.  Some people were interested so
>I took a risk.

It'd be a risk alright. The site claims "Dedicated Servers Australia is a
wholly owned subsidiary of Australia's oldest Web Hosting company - WebHost
Australia. Founded in March, 1995, WebHost was the first Australian company
to create a specialized service that dealt solely with web hosting. In
fact, we defined the industry by coining the term web hosting."

There is no such business name (DBA) or company registered in Australia.
Webhosts Australia was registered as a business name in 1999 - if it is the
same firm (not company) it was registered four years later than claimed. If
they lie about this, what else? Caveat Emptor. Time for a call to the ACCC
with a printout of all these claims. Also no mention of who you'd be
dealing with and no ACN/ABN numbers. Highly illegal.




--__--__--

Message: 6
From: Rob van Eijk <rob@xxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: AW: [cobalt-security] RaQ4-All-Security Release 1.0.2-5-9769
Date: Tue, 12 Jun 2001 11:50:44 +0200
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

Check if your crond is running:

ps -aux | grep crond

You also might want to check:

http://www.uk2raq.com/raqfaq/raqfaqshow.php?faq=27

--
MVG
 Rob van Eijk

-----Ursprüngliche Nachricht-----
Von: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]Im Auftrag von Achieve
Website Design
Gesendet: dinsdag 12 juni 2001 11:08
An: cobalt-security@xxxxxxxxxxxxxxx
Betreff: [cobalt-security] RaQ4-All-Security Release 1.0.2-5-9769


Hello,
Ever since I installed the above package on May 24, my web stats have
stopped working correctly. The stats on the Site Usage feature on the Raq do
not get cleared each day, and what I have now are logs from May 24. I'm
concerned in so far as that if this continues I will end up with very large
log files. Has anyone else encountered this problem.
Thanks,
Declan Connolly.


_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security


--__--__--

Message: 7
From: "Kevin D" <kdlists@xxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: Re: [cobalt-security] profile of a bind worm
Date: Tue, 12 Jun 2001 08:58:05 -0400
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

From: "Carrie Bartkowiak" <ravencarrie@xxxxxxxx>

> > How are you restarting? your /etc/rc.d/init.d/named script should
> have this
> > in the start section:
>
> Should it have it in the hard-restart) section as well?

It seems mine does not, but it should :)

Kevin


--__--__--

Message: 8
Date: Tue, 12 Jun 2001 09:28:37 -0400
From: "MikeM" <MyRaQ@xxxxxxxxx>
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] RaQ4-All-Security Release 1.0.2-5-9769
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

On 6/12/01 at 10:08 AM Achieve Website Design wrote:

| Hello,
| Ever since I installed the above package on May 24, my web stats have
| stopped working correctly. The stats on the Site Usage feature on the Raq
| do
| not get cleared each day, and what I have now are logs from May 24. I'm
| concerned in so far as that if this continues I will end up with very
| large
| log files. Has anyone else encountered this problem.


I have noticed two problems with my logs recently:

1) they are accumulating since May 24.

2) the domain lookups are not working, even though I have the option checked
to report by domain names instead of IP addresses.

I have not had the time to track this down, but it is interesting that you
seem to have the May 24 problem also.



--__--__--

Message: 9
From: "Vachon, Scott" <Scott.Vachon@xxxxxxxxxxxxxx>
To: "'cobalt-security@xxxxxxxxxxxxxxx'" <cobalt-security@xxxxxxxxxxxxxxx>
Subject: RE: [cobalt-security] Come DownUnder and get a RaQ4 SPAMMING !
Date: Tue, 12 Jun 2001 08:45:28 -0500
Reply-To: cobalt-security@xxxxxxxxxxxxxxx


>We wanted to announce this offer to the Cobalt community before we
>announce it to the press and other news outlets. <Major sh*% snip>...

OK..this was blatant spamming ! Hell, it wasn't even on the users list ! It
MIGHT have been acceptable if you mentioned the deal and provided a link for
more info. Read the Meta-Faq Tim !

~s~

Disclaimer: My own two cents.

--__--__--

Message: 10
From: "Kevin D" <kdlists@xxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: Re: [cobalt-security] Come DownUnder and get a RaQ4 SPAMMING !
Date: Tue, 12 Jun 2001 10:07:00 -0400
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

Yeah, and it even came in as a nasty text attachment in my email client...

Kevin

From: "Vachon, Scott" <Scott.Vachon@xxxxxxxxxxxxxx>

> OK..this was blatant spamming ! Hell, it wasn't even on the users list !
It
> MIGHT have been acceptable if you mentioned the deal and provided a link
for
> more info. Read the Meta-Faq Tim !



--__--__--

Message: 11
Date: Tue, 12 Jun 2001 16:00:28 +0100
To: cobalt-security@xxxxxxxxxxxxxxx
From: Alex Collins <a.collins@xxxxxxxxx>
Subject: Re: [cobalt-security] RaQ4-All-Security Release 1.0.2-5-9769
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

In article <>, Achieve Website
Design <info@xxxxxxxxxxxxxx> writes
>Hello,
>Ever since I installed the above package on May 24, my web stats have
>stopped working correctly.

Me 2

Same date - i have just started to have a look at what is going on in
there and will report back.
--
Alex Collins.     Rivermead Library IT Support Technician.
Rivermead Library.      Tel:01245 493131 X3722  Fax: X3145
a.collins@xxxxxxxxx        http://libweb.apu.ac.uk
This message has been ROT-13 Encrypted twice for Extra Security !

--__--__--

Message: 12
From: "Jabie Gray" <apollo@xxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: RE: [cobalt-security] profile of a bind worm
Date: Tue, 12 Jun 2001 08:09:33 -0700
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

My named is running as root too.
I see two instances of the daemon function in the /etc/rc.d/init.d/named
script. One is for start, the other is for hard restart.
Do I need to change both of them to use -u & -g options?
Do I need to create the user and group of named?

Thanks,
Jabie
mailto:apollo@xxxxxxxxxx

-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Kevin D
Sent: Monday, June 11, 2001 8:30 AM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] profile of a bind worm


From: "Robson Martins" <robson@xxxxxxxxxxxxx>

> Hey all, i have bind-8.2.3 running here, my question is, when i run it
with
> start it is the user named but if i restart, it gets the root username, is
> it a problem? Can i receive a worm with this problem? Named need always
run
> as named? Restart is really affecting the username?

How are you restarting? your /etc/rc.d/init.d/named script should have this
in the start section:

daemon named -u named -g named

Which should start bind as user named if you do this:

/etc/rc.d/init.d/named stop
/etc/rc.d/init.d/named start

Bind running as root is a problem, but less of a problem if you have ver
8.2.3. If a new bind vulnerability is discovered for ver 8.2.3, a hacker
could easily gain root access to your box. What saved me from the worst
effects of a bind worm was bind running as named instead of root.

Kevin

_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security


--__--__--

Message: 13
Date: Tue, 12 Jun 2001 11:39:14 -0400
From: "MikeM" <MyRaQ@xxxxxxxxx>
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] RaQ4-All-Security Release 1.0.2-5-9769
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

On 6/12/01 at 4:00 PM Alex Collins wrote:

| In article <>, Achieve Website
| Design <info@xxxxxxxxxxxxxx> writes
| >Hello,
| >Ever since I installed the above package on May 24, my web stats have
| >stopped working correctly.
|
| Me 2
|
| Same date - i have just started to have a look at what is going on in
| there and will report back.


As a follow-up to my prior message on this topic... crond appears to be
running fine on my box.

Additionally, I have a RaQ3, not a RaQ4.   I installed the RaQ3 version of
this patch.





--__--__--

Message: 14
From: "Kevin D" <kdlists@xxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: Re: [cobalt-security] profile of a bind worm
Date: Tue, 12 Jun 2001 11:46:44 -0400
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

From: "Jabie Gray" <apollo@xxxxxxxxxx>

> My named is running as root too.

Bad idea.

> I see two instances of the daemon function in the /etc/rc.d/init.d/named
> script. One is for start, the other is for hard restart.
> Do I need to change both of them to use -u & -g options?

Yes you should.

> Do I need to create the user and group of named?

Maybe. Check your /etc/passwd file. My guess is probably not.

Kevin


--__--__--

Message: 15
From: "Lawrence Frewin of Accommodation.com" <Lawrence@xxxxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: Re: [cobalt-security] profile of a bind worm
Date: Tue, 12 Jun 2001 18:22:41 +0100
Reply-To: cobalt-security@xxxxxxxxxxxxxxx


We made the changes to the named file, but have subsequently found
"couldn't create pid file /var/run/named.pid" in our logs.

It looks like root permission is needed to create the "named.pid" file, but
is it critical?

LF


----- Original Message -----
From: "Kevin D" <kdlists@xxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Tuesday, June 12, 2001 4:46 PM
Subject: Re: [cobalt-security] profile of a bind worm


> From: "Jabie Gray" <apollo@xxxxxxxxxx>
>
> > My named is running as root too.
>
> Bad idea.
>
> > I see two instances of the daemon function in the /etc/rc.d/init.d/named
> > script. One is for start, the other is for hard restart.
> > Do I need to change both of them to use -u & -g options?
>
> Yes you should.
>
> > Do I need to create the user and group of named?
>
> Maybe. Check your /etc/passwd file. My guess is probably not.
>
> Kevin
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security


--__--__--

Message: 16
Date: Tue, 12 Jun 2001 11:45:38 -0700 (PDT)
From: shimi <shimi@xxxxxxxxxxxxxxxx>
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-security] profile of a bind worm
Reply-To: cobalt-security@xxxxxxxxxxxxxxx


On Tue, 12 Jun 2001, Jabie Gray wrote:

> My named is running as root too.
> I see two instances of the daemon function in the /etc/rc.d/init.d/named
> script. One is for start, the other is for hard restart.
> Do I need to change both of them to use -u & -g options?

Of course. Otherwise one of them will load as u/g named, while the other
as root.

> Do I need to create the user and group of named?

If they don't already exist, yes.

lines as follows:

/etc/passwd:
named:x:25:25:named nonpriviliged account:/etc/named:/bin/false

/etc/group:
named:x:25:

> Thanks,
> Jabie
> mailto:apollo@xxxxxxxxxx
>
> -----Original Message-----
> From: cobalt-security-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Kevin D
> Sent: Monday, June 11, 2001 8:30 AM
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: Re: [cobalt-security] profile of a bind worm
>
>
> From: "Robson Martins" <robson@xxxxxxxxxxxxx>
>
> > Hey all, i have bind-8.2.3 running here, my question is, when i run it
> with
> > start it is the user named but if i restart, it gets the root username,
is
> > it a problem? Can i receive a worm with this problem? Named need always
> run
> > as named? Restart is really affecting the username?
>
> How are you restarting? your /etc/rc.d/init.d/named script should have
this
> in the start section:
>
> daemon named -u named -g named
>
> Which should start bind as user named if you do this:
>
> /etc/rc.d/init.d/named stop
> /etc/rc.d/init.d/named start
>
> Bind running as root is a problem, but less of a problem if you have ver
> 8.2.3. If a new bind vulnerability is discovered for ver 8.2.3, a hacker
> could easily gain root access to your box. What saved me from the worst
> effects of a bind worm was bind running as named instead of root.
>
> Kevin
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>



--__--__--

_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security


End of cobalt-security Digest
Follow-Ups:
- [cobalt-security] fpipe - interesting security experiment
  - From: Kevin D
Prev by Date: RE: [cobalt-security] profile of a bind worm
Next by Date: [cobalt-security] fpipe - interesting security experiment
Previous by thread: Re: [cobalt-security] Come DownUnder and get a RaQ4 SPAMMING !
Next by thread: [cobalt-security] fpipe - interesting security experiment
Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index