[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] The nasty RaQ hack...

Hi

how do we stand regs this?

I have setup the quick fix - chmod 755 /usr/lib/authenticate
but this is causing problems, users can't get into httaccess protected files. 

I know we can make:
/etc/shadow
/etc/passwd
world readable but isnt this a risk in itself?
I would like to patch up openssl as recommended by Jeff but have seen posts mentioning symlinks, dependency errors etc. Has anyone got a guide or a package, commercial or otherwise for this?
I have not installed the new OpenSSH as my understanding is that it is only required once openssl has been updated? 

Im kinda confused guys, and kinda worried!
How are all of you lot feeling about this?

Marcus


From: "Jelmer Jellema" <lists@xxxxxxxxxxxxxxx>
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: Re: [cobalt-security] The nasty RaQ hack...
Date: Thu, 23 Jan 2003 09:43:59 +0100

Hi Jeff,
Thanks for the information, it looks like it's time to upgrade. Question: is 
there any information about this hack on bugtrack? I could not find it
there, nore on this list (but it's still quite early overhere) . Or is this
one kept a secret untill we all had a chance to upgrade?

I would like to know if I'm vulnurable, in my specific situation (no
untrusted shell accounts, ports 81 and 444 blocked by ipchains etc.).

It's hard typing with your fingers crossed!

Jelmer
----- Original Message -----
From: "Jeff Lasman" <jblists@xxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Tuesday, January 21, 2003 8:21 PM
Subject: [cobalt-security] The nasty RaQ hack...


> I'm posting this information to a few of the lists because some fairly
> intelligent people have written me unsure of exactly what they have to
> do to protect agains the nasty hack going around that completely
> destroys all the content on RaQ4s.
>
> You really need to do this.  If you can't do it yourself, have someone
> do it for you.
>
> This information comes from various sources, and is presented as a
> simple recipe for your convenience.  All liability disclamers in effect
> of course.  If you need someone to be responsible for the work, then
> find someone to do it for you.
>
> First of all, according to the docs published for the hack, a quick fix
> is to chmod 755 /usr/lib/authenticate if it's not already set to that.
>
> Second, according to Michael, make sure you've got the latest update for
> apache, patch 15787, from the Cobalt package site.
>
> Third, upgrade OpenSSL to Version 0.9.7; you can get RPMs from
> ftp://ftp.nacs.net/pub/software/cobalt_raq4
>
>   openssl-0.9.7-1.i386.rpm
>   openssl-0.9.7-1.src.rpm
>   openssl-devel-0.9.7-1.i386.rpm
>   openssl-doc-0.9.7-1.i386.rpm
>
> Fourth, upgrade OpenSSH, either from solarspeed.net
> (http://www.solarspeed.net/downloads/index.php), or from pkgmaster:
> (http://pkgmaster.com/packages/raq/4/).  (Required, previous versions of
> SSH may not work properly with the rpm versions of OpenSSL.)
>
> Sixth, make frequent backups; this is nasty and destroys most of the
> content on your RaQ.
>
> Seventh, cross your fingers.
>
> Jeff
> --
> Jeff Lasman, nobaloney.net, P. O. Box 52672, Riverside, CA  92517 US
> Internet & Unix/Linux/Sun/Cobalt Consulting +1 909 778-9980
> Our jblists address used on lists is for list email only
> To contact us offlist: "http://www.nobaloney.net/contactus.html";
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>

_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security



_________________________________________________________________
Express yourself with cool emoticons http://messenger.msn.co.uk