[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Re: HELP- CacheRaq4 being attacked
- Subject: RE: [cobalt-security] Re: HELP- CacheRaq4 being attacked
- From: "Randy Russell" <rrussell@xxxxxxxxxxxxxx>
- Date: Mon, 7 Apr 2003 12:49:25 -0700
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Take look at this package and see if it help you. It's for the Qube3 might
help you figure something out if you unpack it look at it:
SQUID Security Update 4.0.1
HTTP Qube3-All-Security-4.0.1-14935.pkg Posted: January 08, 2003
FTP Point your FTP client to ftp://ftp.cobalt.sun.com Size: 998,648
This update adresses a number of issues with SQUID.
SQUID configuration could enable spammers to relay through the qube3
log rotation has been fixed
UI inconsistencies between Web Access and Web Cache have been resolved
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Dawn D.
Pfaltzgraff
Sent: Monday, April 07, 2003 12:41 PM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: [cobalt-security] Re: HELP- CacheRaq4 being attacked
I'm not sure where it is coming from, I only know that we have gotten
complaints from our upstreams provider that they are getting spam from this
address ( the Cache server.) It is on the DMZ of the SonicWall and the
sonicwall is a Pro 300.
Dawn
At 12:00 PM 4/7/2003 -0700, you wrote:
>Send cobalt-security mailing list submissions to
> cobalt-security@xxxxxxxxxxxxxxx
>
>To subscribe or unsubscribe via the World Wide Web, visit
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>or, via email, send a message with subject or body 'help' to
> cobalt-security-request@xxxxxxxxxxxxxxx
>
>You can reach the person managing the list at
> cobalt-security-admin@xxxxxxxxxxxxxxx
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of cobalt-security digest..."
>
>
>Today's Topics:
>
> 1. RaQ2 Sendmail fix (Diana Brake)
> 2. RE: RaQ2 Sendmail fix (Gavin Nelmes-Crocker)
> 3. Not great news for Cobalt Users (Gavin Nelmes-Crocker)
> 4. SSH sniffing (Tik & Klik Internetdiensten)
> 5. Re: SSH sniffing (Jeroen Wunnink)
> 6. HELP- CacheRaq4 being attacked (Dawn D. Pfaltzgraff)
> 7. Re: HELP- CacheRaq4 being attacked (Dave @ The Hostworks)
> 8. RE: HELP- CacheRaq4 being attacked (Randy Russell)
>
>--__--__--
>
>Message: 1
>Date: Sun, 06 Apr 2003 21:31:31 -0400
>From: Diana Brake <diana@xxxxxxxxxxxxx>
>To: cobalt-security@xxxxxxxxxxxxxxx
>Subject: [cobalt-security] RaQ2 Sendmail fix
>Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
>Hi,
>
>I found a sendmail 'fix' for the RaQ2 as provided by the people at
>htt://www.raqtweak.com/ or http://www.raqtweak.com/free.php
>
>I don't know these people so I'm hoping that someone here can vouch for
>them. I downloaded the package and installed it on a non-production
>machine...all appears to be fine. I wouldn't have a clue how to go about
>tearing the package apart and auditing it for security. Any insight will
>be greatly appreciated.
>--
>Diana
>
>
>--__--__--
>
>Message: 2
>From: "Gavin Nelmes-Crocker" <cobalt@xxxxxxxxxxxxxxxx>
>To: <cobalt-security@xxxxxxxxxxxxxxx>
>Subject: RE: [cobalt-security] RaQ2 Sendmail fix
>Date: Mon, 7 Apr 2003 09:11:27 +0100
>Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
>
> > I found a sendmail 'fix' for the RaQ2 as provided by the people at
> > htt://www.raqtweak.com/ or http://www.raqtweak.com/free.php
> >
> > I don't know these people so I'm hoping that someone here can vouch for
> > them. I downloaded the package and installed it on a non-production
> > machine...all appears to be fine. I wouldn't have a clue how to go about
> > tearing the package apart and auditing it for security. Any insight will
> > be greatly appreciated.
>
>I have a little knowledge of them in the sense that I have taken a few of
>their pkgs apart for auditing.
>
>In every case that I can think of we found the register_me script activated
>which basically sends an email from your RaQ to raqtweak with details of
>your server. It does this behind the scenes so most users don't know it
>happens. I don't think they declare this on their web site and therefore
>some people may have chosen to avoid them for this reason.
>
>As to whether the actual patch/mod or upgrade works or not I can't comment.
>The guy behind it is Leslie Herps do a search on the groups and see what
>comes back.
>
>My 2 cents
>
>Gavin
>
>
>--__--__--
>
>Message: 3
>From: "Gavin Nelmes-Crocker" <cobalt@xxxxxxxxxxxxxxxx>
>To: "Cobalt-Security@List. Cobalt. Com" <cobalt-security@xxxxxxxxxxxxxxx>,
> "Cobalt-Users@List. Cobalt. Com" <cobalt-users@xxxxxxxxxxxxxxx>,
> "Cobaltfacts@List. Cobaltfacts. Com"
> <cobaltfacts@xxxxxxxxxxxxxxxxxxxx>,
> "Cobalt-Developers@List. Cobalt. Com"
> <cobalt-developers@xxxxxxxxxxxxxxx>
>Date: Mon, 7 Apr 2003 10:09:04 +0100
>Subject: [cobalt-security] Not great news for Cobalt Users
>Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
>Sorry for the broadcast but I feel it is important for people to start
>thinking what they will do in the future. I know some of this has started
>to be talked about with the Qbalt project and talk recently of an
>independent group setting up a patching network.
>
>This just arrived from Red Hat
>
><snip>
> Sent: 02 April 2003 17:48
>To: redhat-watch-list@xxxxxxxxxx; redhat-announce-list@xxxxxxxxxx
>Subject: End of Life: Red Hat Linux 6.2, 7
>
>
>In accordance with our errata support policy the Red Hat Linux 6.2 and
>Red Hat Linux 7 distributions have now reached their end-of-life for
>errata maintenance. This means that we will no longer be producing
>security, bugfix, or enhancement updates for these products.
></snip>
>
>As most of the Cobalt product line is based on Red Hat 6.2
>(RaQ3,4,XTR,Qube3) this is serious unless anyone else has a different
>hopefully better view or solution.
>
>Regards
>
>Gavin
>
>
>--__--__--
>
>Message: 4
>From: "Tik & Klik Internetdiensten" <info@xxxxxxxxxx>
>To: <cobalt-security@xxxxxxxxxxxxxxx>
>Date: Mon, 7 Apr 2003 11:16:45 +0200
>Subject: [cobalt-security] SSH sniffing
>Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
>Hello,
>
>Does anybody knows an soution to stop users with ssh access from sniffing
in
>other places on the server
>then there own site.
>
>And i dont meen the answer dont give them SSH access :-)
>
>
>--__--__--
>
>Message: 5
>Date: Mon, 07 Apr 2003 13:30:20 +0200
>To: cobalt-security@xxxxxxxxxxxxxxx
>From: Jeroen Wunnink <jeroen@xxxxxxxxxxxxxx>
>Subject: Re: [cobalt-security] SSH sniffing
>Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
>Do some research on chroot, it'll give you the ability to change the /
>partition for applications and users, so you can set their ~/ as /, this
>way they cannot change to directories below their userdir..
>
>At 11:16 AM 4/7/2003 +0200, you wrote:
> >Hello,
> >
> >Does anybody knows an soution to stop users with ssh access from sniffing
in
> >other places on the server
> >then there own site.
> >
> >And i dont meen the answer dont give them SSH access :-)
> >
> >_______________________________________________
> >cobalt-security mailing list
> >cobalt-security@xxxxxxxxxxxxxxx
> >http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>
>
>Met vriendelijke groet,
>
>Jeroen Wunnink,
>systeembeheer@xxxxxxxxxxxxxx
>
>telefoon:+31 (035) 6285455 Postbus 1332
>fax: +31 (035) 6838242 1200 BH Hilversum
>
>http://www.easyhosting.nl
>
>
>--__--__--
>
>Message: 6
>Date: Mon, 07 Apr 2003 08:33:08 -0600
>To: cobalt-security@xxxxxxxxxxxxxxx
>From: "Dawn D. Pfaltzgraff" <ddpfz@xxxxxxxxxx>
>Subject: [cobalt-security] HELP- CacheRaq4 being attacked
>Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
>Over the past couple of days have noticed the traffic for a CacheRaq4 at
>one of our schools is seeing an INSANE amount of traffic. Also the
>administrator there keeps receiving a whole bunch of mail returned mail.
>(vulnerable SMTP, seems to be "undeliverable" spam). So anybody got any
>ideas? It's behind a Sonic Wall and the following ports are the only ones
>that appear to be open, netbios (137,138), telnet and squid (SMTP is
>opened). Now I have also noticed that everytime a "Squid child" starts up
>it exits on "signal 6". I'm not sure where to start on this one, if
>anyone has any suggestions, please let me know. As for updates, the box
>has been updated with the Cobalt updates and nothing else. Other than
>that... it's straight out of the box. Is squid a problem or something?
>
>Thanks,
>Dawn
>
>
>Dawn D. Pfaltzgraff
>System Administrator
>Premier Systems -plains.net
>ddpfz@xxxxxxxxxx
>(970-848-0475)
>
>
>
>--__--__--
>
>Message: 7
>From: "Dave @ The Hostworks" <dave@xxxxxxxxxxxxxxxx>
>To: <cobalt-security@xxxxxxxxxxxxxxx>
>Subject: Re: [cobalt-security] HELP- CacheRaq4 being attacked
>Date: Mon, 7 Apr 2003 10:59:03 -0400
>Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
>Are you sure the traffic is generated by smtp?
>
>A aggressive spammer can actually send out mass messages, and cloaking your
>hostname, so in return, you get the undeliverable messages... Even if it
was
>sent from some other server, and some other idiot spammer.
>
>
>----- Original Message -----
>From: "Dawn D. Pfaltzgraff" <ddpfz@xxxxxxxxxx>
>To: <cobalt-security@xxxxxxxxxxxxxxx>
>Sent: Monday, April 07, 2003 10:33 AM
>Subject: [cobalt-security] HELP- CacheRaq4 being attacked
>
>
> > Over the past couple of days have noticed the traffic for a CacheRaq4 at
> > one of our schools is seeing an INSANE amount of traffic. Also the
> > administrator there keeps receiving a whole bunch of mail returned mail.
> > (vulnerable SMTP, seems to be "undeliverable" spam). So anybody got any
> > ideas? It's behind a Sonic Wall and the following ports are the only
ones
> > that appear to be open, netbios (137,138), telnet and squid (SMTP is
> > opened). Now I have also noticed that everytime a "Squid child" starts
up
> > it exits on "signal 6". I'm not sure where to start on this one, if
> > anyone has any suggestions, please let me know. As for updates, the
box
> > has been updated with the Cobalt updates and nothing else. Other than
> > that... it's straight out of the box. Is squid a problem or something?
> >
> > Thanks,
> > Dawn
> >
> >
> > Dawn D. Pfaltzgraff
> > System Administrator
> > Premier Systems -plains.net
> > ddpfz@xxxxxxxxxx
> > (970-848-0475)
> >
> >
> > _______________________________________________
> > cobalt-security mailing list
> > cobalt-security@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
>
>
>
>--__--__--
>
>Message: 8
>From: "Randy Russell" <rrussell@xxxxxxxxxxxxxx>
>To: <cobalt-security@xxxxxxxxxxxxxxx>
>Subject: RE: [cobalt-security] HELP- CacheRaq4 being attacked
>Date: Mon, 7 Apr 2003 11:38:08 -0700
>Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
>It might a squid problem. We had Qube 3 with squid (Web caching on) and it
>was used as a method for spammer to relay their mail because of bug. Once
we
>turn it off, that traffic stop. Sun came out a with a security patch to fix
>it. The problem is now fixed. We have it on. I don't know about for Raq
>Cache 4.
>
>Do you have the Raq4 Cache on the DMZ port of the SonicWall? If so what
>model do you have?
>
>-Randy
>
>-----Original Message-----
>From: cobalt-security-admin@xxxxxxxxxxxxxxx
>[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Dave @ The
>Hostworks
>Sent: Monday, April 07, 2003 7:59 AM
>To: cobalt-security@xxxxxxxxxxxxxxx
>Subject: Re: [cobalt-security] HELP- CacheRaq4 being attacked
>
>
>Are you sure the traffic is generated by smtp?
>
>A aggressive spammer can actually send out mass messages, and cloaking your
>hostname, so in return, you get the undeliverable messages... Even if it
was
>sent from some other server, and some other idiot spammer.
>
>
>----- Original Message -----
>From: "Dawn D. Pfaltzgraff" <ddpfz@xxxxxxxxxx>
>To: <cobalt-security@xxxxxxxxxxxxxxx>
>Sent: Monday, April 07, 2003 10:33 AM
>Subject: [cobalt-security] HELP- CacheRaq4 being attacked
>
>
> > Over the past couple of days have noticed the traffic for a CacheRaq4 at
> > one of our schools is seeing an INSANE amount of traffic. Also the
> > administrator there keeps receiving a whole bunch of mail returned mail.
> > (vulnerable SMTP, seems to be "undeliverable" spam). So anybody got any
> > ideas? It's behind a Sonic Wall and the following ports are the only
ones
> > that appear to be open, netbios (137,138), telnet and squid (SMTP is
> > opened). Now I have also noticed that everytime a "Squid child" starts
up
> > it exits on "signal 6". I'm not sure where to start on this one, if
> > anyone has any suggestions, please let me know. As for updates, the
box
> > has been updated with the Cobalt updates and nothing else. Other than
> > that... it's straight out of the box. Is squid a problem or something?
> >
> > Thanks,
> > Dawn
> >
> >
> > Dawn D. Pfaltzgraff
> > System Administrator
> > Premier Systems -plains.net
> > ddpfz@xxxxxxxxxx
> > (970-848-0475)
> >
> >
> > _______________________________________________
> > cobalt-security mailing list
> > cobalt-security@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
>
>
>_______________________________________________
>cobalt-security mailing list
>cobalt-security@xxxxxxxxxxxxxxx
>http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>
>
>
>
>--__--__--
>
>_______________________________________________
>cobalt-security mailing list
>cobalt-security@xxxxxxxxxxxxxxx
>http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>
>End of cobalt-security Digest
Dawn D. Pfaltzgraff
System Administrator
Premier Systems -plains.net
ddpfz@xxxxxxxxxx
(970-848-0475)
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security