Send cobalt-security mailing list submissions to
cobalt-security@xxxxxxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
http://list.cobalt.com/mailman/listinfo/cobalt-security
or, via email, send a message with subject or body 'help' to
cobalt-security-request@xxxxxxxxxxxxxxx
You can reach the person managing the list at
cobalt-security-admin@xxxxxxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of cobalt-security digest..."
Today's Topics:
1. RaQ2 Sendmail fix (Diana Brake)
2. RE: RaQ2 Sendmail fix (Gavin Nelmes-Crocker)
3. Not great news for Cobalt Users (Gavin Nelmes-Crocker)
4. SSH sniffing (Tik & Klik Internetdiensten)
5. Re: SSH sniffing (Jeroen Wunnink)
6. HELP- CacheRaq4 being attacked (Dawn D. Pfaltzgraff)
7. Re: HELP- CacheRaq4 being attacked (Dave @ The Hostworks)
8. RE: HELP- CacheRaq4 being attacked (Randy Russell)
--__--__--
Message: 1
Date: Sun, 06 Apr 2003 21:31:31 -0400
From: Diana Brake <diana@xxxxxxxxxxxxx>
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: [cobalt-security] RaQ2 Sendmail fix
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
Hi,
I found a sendmail 'fix' for the RaQ2 as provided by the people at
htt://www.raqtweak.com/ or http://www.raqtweak.com/free.php
I don't know these people so I'm hoping that someone here can vouch for
them. I downloaded the package and installed it on a non-production
machine...all appears to be fine. I wouldn't have a clue how to go about
tearing the package apart and auditing it for security. Any insight will
be greatly appreciated.
--
Diana
--__--__--
Message: 2
From: "Gavin Nelmes-Crocker" <cobalt@xxxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: RE: [cobalt-security] RaQ2 Sendmail fix
Date: Mon, 7 Apr 2003 09:11:27 +0100
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
> I found a sendmail 'fix' for the RaQ2 as provided by the people at
> htt://www.raqtweak.com/ or http://www.raqtweak.com/free.php
>
> I don't know these people so I'm hoping that someone here can vouch for
> them. I downloaded the package and installed it on a non-production
> machine...all appears to be fine. I wouldn't have a clue how to go about
> tearing the package apart and auditing it for security. Any insight will
> be greatly appreciated.
I have a little knowledge of them in the sense that I have taken a few of
their pkgs apart for auditing.
In every case that I can think of we found the register_me script activated
which basically sends an email from your RaQ to raqtweak with details of
your server. It does this behind the scenes so most users don't know it
happens. I don't think they declare this on their web site and therefore
some people may have chosen to avoid them for this reason.
As to whether the actual patch/mod or upgrade works or not I can't comment.
The guy behind it is Leslie Herps do a search on the groups and see what
comes back.
My 2 cents
Gavin
--__--__--
Message: 3
From: "Gavin Nelmes-Crocker" <cobalt@xxxxxxxxxxxxxxxx>
To: "Cobalt-Security@List. Cobalt. Com" <cobalt-security@xxxxxxxxxxxxxxx>,
"Cobalt-Users@List. Cobalt. Com" <cobalt-users@xxxxxxxxxxxxxxx>,
"Cobaltfacts@List. Cobaltfacts. Com"
<cobaltfacts@xxxxxxxxxxxxxxxxxxxx>,
"Cobalt-Developers@List. Cobalt. Com"
<cobalt-developers@xxxxxxxxxxxxxxx>
Date: Mon, 7 Apr 2003 10:09:04 +0100
Subject: [cobalt-security] Not great news for Cobalt Users
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
Sorry for the broadcast but I feel it is important for people to start
thinking what they will do in the future. I know some of this has started
to be talked about with the Qbalt project and talk recently of an
independent group setting up a patching network.
This just arrived from Red Hat
<snip>
Sent: 02 April 2003 17:48
To: redhat-watch-list@xxxxxxxxxx; redhat-announce-list@xxxxxxxxxx
Subject: End of Life: Red Hat Linux 6.2, 7
In accordance with our errata support policy the Red Hat Linux 6.2 and
Red Hat Linux 7 distributions have now reached their end-of-life for
errata maintenance. This means that we will no longer be producing
security, bugfix, or enhancement updates for these products.
</snip>
As most of the Cobalt product line is based on Red Hat 6.2
(RaQ3,4,XTR,Qube3) this is serious unless anyone else has a different
hopefully better view or solution.
Regards
Gavin
--__--__--
Message: 4
From: "Tik & Klik Internetdiensten" <info@xxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Date: Mon, 7 Apr 2003 11:16:45 +0200
Subject: [cobalt-security] SSH sniffing
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
Hello,
Does anybody knows an soution to stop users with ssh access from sniffing in
other places on the server
then there own site.
And i dont meen the answer dont give them SSH access :-)
--__--__--
Message: 5
Date: Mon, 07 Apr 2003 13:30:20 +0200
To: cobalt-security@xxxxxxxxxxxxxxx
From: Jeroen Wunnink <jeroen@xxxxxxxxxxxxxx>
Subject: Re: [cobalt-security] SSH sniffing
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
Do some research on chroot, it'll give you the ability to change the /
partition for applications and users, so you can set their ~/ as /, this
way they cannot change to directories below their userdir..
At 11:16 AM 4/7/2003 +0200, you wrote:
>Hello,
>
>Does anybody knows an soution to stop users with ssh access from sniffing in
>other places on the server
>then there own site.
>
>And i dont meen the answer dont give them SSH access :-)
>
>_______________________________________________
>cobalt-security mailing list
>cobalt-security@xxxxxxxxxxxxxxx
>http://list.cobalt.com/mailman/listinfo/cobalt-security
Met vriendelijke groet,
Jeroen Wunnink,
systeembeheer@xxxxxxxxxxxxxx
telefoon:+31 (035) 6285455 Postbus 1332
fax: +31 (035) 6838242 1200 BH Hilversum
http://www.easyhosting.nl
--__--__--
Message: 6
Date: Mon, 07 Apr 2003 08:33:08 -0600
To: cobalt-security@xxxxxxxxxxxxxxx
From: "Dawn D. Pfaltzgraff" <ddpfz@xxxxxxxxxx>
Subject: [cobalt-security] HELP- CacheRaq4 being attacked
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
Over the past couple of days have noticed the traffic for a CacheRaq4 at
one of our schools is seeing an INSANE amount of traffic. Also the
administrator there keeps receiving a whole bunch of mail returned mail.
(vulnerable SMTP, seems to be "undeliverable" spam). So anybody got any
ideas? It's behind a Sonic Wall and the following ports are the only ones
that appear to be open, netbios (137,138), telnet and squid (SMTP is
opened). Now I have also noticed that everytime a "Squid child" starts up
it exits on "signal 6". I'm not sure where to start on this one, if
anyone has any suggestions, please let me know. As for updates, the box
has been updated with the Cobalt updates and nothing else. Other than
that... it's straight out of the box. Is squid a problem or something?
Thanks,
Dawn
Dawn D. Pfaltzgraff
System Administrator
Premier Systems -plains.net
ddpfz@xxxxxxxxxx
(970-848-0475)
--__--__--
Message: 7
From: "Dave @ The Hostworks" <dave@xxxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: Re: [cobalt-security] HELP- CacheRaq4 being attacked
Date: Mon, 7 Apr 2003 10:59:03 -0400
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
Are you sure the traffic is generated by smtp?
A aggressive spammer can actually send out mass messages, and cloaking your
hostname, so in return, you get the undeliverable messages... Even if it was
sent from some other server, and some other idiot spammer.
----- Original Message -----
From: "Dawn D. Pfaltzgraff" <ddpfz@xxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Monday, April 07, 2003 10:33 AM
Subject: [cobalt-security] HELP- CacheRaq4 being attacked
> Over the past couple of days have noticed the traffic for a CacheRaq4 at
> one of our schools is seeing an INSANE amount of traffic. Also the
> administrator there keeps receiving a whole bunch of mail returned mail.
> (vulnerable SMTP, seems to be "undeliverable" spam). So anybody got any
> ideas? It's behind a Sonic Wall and the following ports are the only ones
> that appear to be open, netbios (137,138), telnet and squid (SMTP is
> opened). Now I have also noticed that everytime a "Squid child" starts up
> it exits on "signal 6". I'm not sure where to start on this one, if
> anyone has any suggestions, please let me know. As for updates, the box
> has been updated with the Cobalt updates and nothing else. Other than
> that... it's straight out of the box. Is squid a problem or something?
>
> Thanks,
> Dawn
>
>
> Dawn D. Pfaltzgraff
> System Administrator
> Premier Systems -plains.net
> ddpfz@xxxxxxxxxx
> (970-848-0475)
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
--__--__--
Message: 8
From: "Randy Russell" <rrussell@xxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: RE: [cobalt-security] HELP- CacheRaq4 being attacked
Date: Mon, 7 Apr 2003 11:38:08 -0700
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
It might a squid problem. We had Qube 3 with squid (Web caching on) and it
was used as a method for spammer to relay their mail because of bug. Once we
turn it off, that traffic stop. Sun came out a with a security patch to fix
it. The problem is now fixed. We have it on. I don't know about for Raq
Cache 4.
Do you have the Raq4 Cache on the DMZ port of the SonicWall? If so what
model do you have?
-Randy
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Dave @ The
Hostworks
Sent: Monday, April 07, 2003 7:59 AM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] HELP- CacheRaq4 being attacked
Are you sure the traffic is generated by smtp?
A aggressive spammer can actually send out mass messages, and cloaking your
hostname, so in return, you get the undeliverable messages... Even if it was
sent from some other server, and some other idiot spammer.
----- Original Message -----
From: "Dawn D. Pfaltzgraff" <ddpfz@xxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Monday, April 07, 2003 10:33 AM
Subject: [cobalt-security] HELP- CacheRaq4 being attacked
> Over the past couple of days have noticed the traffic for a CacheRaq4 at
> one of our schools is seeing an INSANE amount of traffic. Also the
> administrator there keeps receiving a whole bunch of mail returned mail.
> (vulnerable SMTP, seems to be "undeliverable" spam). So anybody got any
> ideas? It's behind a Sonic Wall and the following ports are the only ones
> that appear to be open, netbios (137,138), telnet and squid (SMTP is
> opened). Now I have also noticed that everytime a "Squid child" starts up
> it exits on "signal 6". I'm not sure where to start on this one, if
> anyone has any suggestions, please let me know. As for updates, the box
> has been updated with the Cobalt updates and nothing else. Other than
> that... it's straight out of the box. Is squid a problem or something?
>
> Thanks,
> Dawn
>
>
> Dawn D. Pfaltzgraff
> System Administrator
> Premier Systems -plains.net
> ddpfz@xxxxxxxxxx
> (970-848-0475)
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security
--__--__--
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security
End of cobalt-security Digest