[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] RE: HELP- CacheRaq4 being attacked

As a solution, perhaps you could get your hands on a barebone system, throw
redhat on it, then install your own version of squid?

Or atleast one for a backup in cases like this.


----- Original Message -----
From: "Dawn D. Pfaltzgraff" <ddpfz@xxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Tuesday, April 08, 2003 12:53 PM
Subject: [cobalt-security] RE: HELP- CacheRaq4 being attacked


> I'll right I disabled squid ( it is running version 2.3STABLE4) and all of
> a sudden  I'm not getting th traffic I was before.  I did a netstat and
> everything looks fine now ( no more strange looking tcp connections.) So
> obviously there is a problem in squid, does anyone have this problem?
> Randy, do you know what version of squid your CacheQube was running or is
> running?
>
> Thanks,
> Dawn
>
>
> At 12:00 PM 4/7/2003 -0700, you wrote:
> >Send cobalt-security mailing list submissions to
> >         cobalt-security@xxxxxxxxxxxxxxx
> >
> >To subscribe or unsubscribe via the World Wide Web, visit
> >         http://list.cobalt.com/mailman/listinfo/cobalt-security
> >or, via email, send a message with subject or body 'help' to
> >         cobalt-security-request@xxxxxxxxxxxxxxx
> >
> >You can reach the person managing the list at
> >         cobalt-security-admin@xxxxxxxxxxxxxxx
> >
> >When replying, please edit your Subject line so it is more specific
> >than "Re: Contents of cobalt-security digest..."
> >
> >
> >Today's Topics:
> >
> >    1. RaQ2 Sendmail fix (Diana Brake)
> >    2. RE: RaQ2 Sendmail fix (Gavin Nelmes-Crocker)
> >    3. Not great news for Cobalt Users (Gavin Nelmes-Crocker)
> >    4. SSH sniffing (Tik & Klik Internetdiensten)
> >    5. Re: SSH sniffing (Jeroen Wunnink)
> >    6. HELP- CacheRaq4 being attacked (Dawn D. Pfaltzgraff)
> >    7. Re: HELP- CacheRaq4 being attacked (Dave @ The Hostworks)
> >    8. RE: HELP- CacheRaq4 being attacked (Randy Russell)
> >
> >--__--__--
> >
> >Message: 1
> >Date: Sun, 06 Apr 2003 21:31:31 -0400
> >From: Diana Brake <diana@xxxxxxxxxxxxx>
> >To: cobalt-security@xxxxxxxxxxxxxxx
> >Subject: [cobalt-security] RaQ2 Sendmail fix
> >Reply-To: cobalt-security@xxxxxxxxxxxxxxx
> >
> >Hi,
> >
> >I found a sendmail 'fix' for the RaQ2 as provided by the people at
> >htt://www.raqtweak.com/   or http://www.raqtweak.com/free.php
> >
> >I don't know these people so I'm hoping that someone here can vouch for
> >them. I downloaded the package and installed it on a non-production
> >machine...all appears to be fine. I wouldn't have a clue how to go about
> >tearing the package apart and auditing it for security. Any insight will
> >be greatly appreciated.
> >--
> >Diana
> >
> >
> >--__--__--
> >
> >Message: 2
> >From: "Gavin Nelmes-Crocker" <cobalt@xxxxxxxxxxxxxxxx>
> >To: <cobalt-security@xxxxxxxxxxxxxxx>
> >Subject: RE: [cobalt-security] RaQ2 Sendmail fix
> >Date: Mon, 7 Apr 2003 09:11:27 +0100
> >Reply-To: cobalt-security@xxxxxxxxxxxxxxx
> >
> >
> > > I found a sendmail 'fix' for the RaQ2 as provided by the people at
> > > htt://www.raqtweak.com/   or http://www.raqtweak.com/free.php
> > >
> > > I don't know these people so I'm hoping that someone here can vouch
for
> > > them. I downloaded the package and installed it on a non-production
> > > machine...all appears to be fine. I wouldn't have a clue how to go
about
> > > tearing the package apart and auditing it for security. Any insight
will
> > > be greatly appreciated.
> >
> >I have a little knowledge of them in the sense that I have taken a few of
> >their pkgs apart for auditing.
> >
> >In every case that I can think of we found the register_me script
activated
> >which basically sends an email from your RaQ to raqtweak with details of
> >your server.  It does this behind the scenes so most users don't know it
> >happens.  I don't think they declare this on their web site and therefore
> >some people may have chosen to avoid them for this reason.
> >
> >As to whether the actual patch/mod or upgrade works or not I can't
comment.
> >The guy behind it is Leslie Herps do a search on the groups and see what
> >comes back.
> >
> >My 2 cents
> >
> >Gavin
> >
> >
> >--__--__--
> >
> >Message: 3
> >From: "Gavin Nelmes-Crocker" <cobalt@xxxxxxxxxxxxxxxx>
> >To: "Cobalt-Security@List. Cobalt. Com"
<cobalt-security@xxxxxxxxxxxxxxx>,
> >         "Cobalt-Users@List. Cobalt. Com" <cobalt-users@xxxxxxxxxxxxxxx>,
> >         "Cobaltfacts@List. Cobaltfacts. Com"
> > <cobaltfacts@xxxxxxxxxxxxxxxxxxxx>,
> >         "Cobalt-Developers@List. Cobalt. Com"
> > <cobalt-developers@xxxxxxxxxxxxxxx>
> >Date: Mon, 7 Apr 2003 10:09:04 +0100
> >Subject: [cobalt-security] Not great news for Cobalt Users
> >Reply-To: cobalt-security@xxxxxxxxxxxxxxx
> >
> >Sorry for the broadcast but I feel it is important for people to start
> >thinking what they will do in the future.  I know some of this has
started
> >to be talked about with the Qbalt project and talk recently of an
> >independent group setting up a patching network.
> >
> >This just arrived from Red Hat
> >
> ><snip>
> >  Sent: 02 April 2003 17:48
> >To: redhat-watch-list@xxxxxxxxxx; redhat-announce-list@xxxxxxxxxx
> >Subject: End of Life: Red Hat Linux 6.2, 7
> >
> >
> >In accordance with our errata support policy the Red Hat Linux 6.2 and
> >Red Hat Linux 7 distributions have now reached their end-of-life for
> >errata maintenance.  This means that we will no longer be producing
> >security, bugfix, or enhancement updates for these products.
> ></snip>
> >
> >As most of the Cobalt product line is based on Red Hat 6.2
> >(RaQ3,4,XTR,Qube3) this is serious unless anyone else has a different
> >hopefully better view or solution.
> >
> >Regards
> >
> >Gavin
> >
> >
> >--__--__--
> >
> >Message: 4
> >From: "Tik & Klik Internetdiensten" <info@xxxxxxxxxx>
> >To: <cobalt-security@xxxxxxxxxxxxxxx>
> >Date: Mon, 7 Apr 2003 11:16:45 +0200
> >Subject: [cobalt-security] SSH sniffing
> >Reply-To: cobalt-security@xxxxxxxxxxxxxxx
> >
> >Hello,
> >
> >Does anybody knows an soution to stop users with ssh access from sniffing
in
> >other places on the server
> >then there own site.
> >
> >And i dont meen the answer dont give them SSH access :-)
> >
> >
> >--__--__--
> >
> >Message: 5
> >Date: Mon, 07 Apr 2003 13:30:20 +0200
> >To: cobalt-security@xxxxxxxxxxxxxxx
> >From: Jeroen Wunnink <jeroen@xxxxxxxxxxxxxx>
> >Subject: Re: [cobalt-security] SSH sniffing
> >Reply-To: cobalt-security@xxxxxxxxxxxxxxx
> >
> >Do some research on chroot, it'll give you the ability to change the /
> >partition for applications and users, so you can set their ~/ as /, this
> >way they cannot change to directories below their userdir..
> >
> >At 11:16 AM 4/7/2003 +0200, you wrote:
> > >Hello,
> > >
> > >Does anybody knows an soution to stop users with ssh access from
sniffing in
> > >other places on the server
> > >then there own site.
> > >
> > >And i dont meen the answer dont give them SSH access :-)
> > >
> > >_______________________________________________
> > >cobalt-security mailing list
> > >cobalt-security@xxxxxxxxxxxxxxx
> > >http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
> >
> >
> >Met vriendelijke groet,
> >
> >Jeroen Wunnink,
> >systeembeheer@xxxxxxxxxxxxxx
> >
> >telefoon:+31 (035) 6285455              Postbus 1332
> >fax: +31 (035) 6838242                  1200 BH Hilversum
> >
> >http://www.easyhosting.nl
> >
> >
> >--__--__--
> >
> >Message: 6
> >Date: Mon, 07 Apr 2003 08:33:08 -0600
> >To: cobalt-security@xxxxxxxxxxxxxxx
> >From: "Dawn D. Pfaltzgraff" <ddpfz@xxxxxxxxxx>
> >Subject: [cobalt-security] HELP- CacheRaq4 being attacked
> >Reply-To: cobalt-security@xxxxxxxxxxxxxxx
> >
> >Over the past couple of days have noticed the traffic for a CacheRaq4 at
> >one of our schools is seeing an INSANE amount of traffic.  Also the
> >administrator there keeps receiving a whole bunch of mail returned mail.
> >(vulnerable SMTP, seems to be "undeliverable" spam).  So anybody got any
> >ideas? It's behind a Sonic Wall and the following ports are the only ones
> >that appear to be open, netbios (137,138), telnet and squid (SMTP is
> >opened).  Now I have also noticed that everytime a "Squid child" starts
up
> >it exits on  "signal 6".  I'm not sure where to start on this one, if
> >anyone has any suggestions, please let me know.    As for updates, the
box
> >has been updated with the Cobalt updates and nothing else.  Other than
> >that... it's straight out of the box.  Is squid a problem or something?
> >
> >Thanks,
> >Dawn
> >
> >
> >Dawn D. Pfaltzgraff
> >System Administrator
> >Premier Systems -plains.net
> >ddpfz@xxxxxxxxxx
> >(970-848-0475)
> >
> >
> >
> >--__--__--
> >
> >Message: 7
> >From: "Dave @ The Hostworks" <dave@xxxxxxxxxxxxxxxx>
> >To: <cobalt-security@xxxxxxxxxxxxxxx>
> >Subject: Re: [cobalt-security] HELP- CacheRaq4 being attacked
> >Date: Mon, 7 Apr 2003 10:59:03 -0400
> >Reply-To: cobalt-security@xxxxxxxxxxxxxxx
> >
> >Are you sure the traffic is generated by smtp?
> >
> >A aggressive spammer can actually send out mass messages, and cloaking
your
> >hostname, so in return, you get the undeliverable messages... Even if it
was
> >sent from some other server, and some other idiot spammer.
> >
> >
> >----- Original Message -----
> >From: "Dawn D. Pfaltzgraff" <ddpfz@xxxxxxxxxx>
> >To: <cobalt-security@xxxxxxxxxxxxxxx>
> >Sent: Monday, April 07, 2003 10:33 AM
> >Subject: [cobalt-security] HELP- CacheRaq4 being attacked
> >
> >
> > > Over the past couple of days have noticed the traffic for a CacheRaq4
at
> > > one of our schools is seeing an INSANE amount of traffic.  Also the
> > > administrator there keeps receiving a whole bunch of mail returned
mail.
> > > (vulnerable SMTP, seems to be "undeliverable" spam).  So anybody got
any
> > > ideas? It's behind a Sonic Wall and the following ports are the only
ones
> > > that appear to be open, netbios (137,138), telnet and squid (SMTP is
> > > opened).  Now I have also noticed that everytime a "Squid child"
starts up
> > > it exits on  "signal 6".  I'm not sure where to start on this one, if
> > > anyone has any suggestions, please let me know.    As for updates, the
box
> > > has been updated with the Cobalt updates and nothing else.  Other than
> > > that... it's straight out of the box.  Is squid a problem or
something?
> > >
> > > Thanks,
> > > Dawn
> > >
> > >
> > > Dawn D. Pfaltzgraff
> > > System Administrator
> > > Premier Systems -plains.net
> > > ddpfz@xxxxxxxxxx
> > > (970-848-0475)
> > >
> > >
> > > _______________________________________________
> > > cobalt-security mailing list
> > > cobalt-security@xxxxxxxxxxxxxxx
> > > http://list.cobalt.com/mailman/listinfo/cobalt-security
> > >
> >
> >
> >
> >--__--__--
> >
> >Message: 8
> >From: "Randy Russell" <rrussell@xxxxxxxxxxxxxx>
> >To: <cobalt-security@xxxxxxxxxxxxxxx>
> >Subject: RE: [cobalt-security] HELP- CacheRaq4 being attacked
> >Date: Mon, 7 Apr 2003 11:38:08 -0700
> >Reply-To: cobalt-security@xxxxxxxxxxxxxxx
> >
> >It might a squid problem. We had Qube 3 with squid (Web caching on) and
it
> >was used as a method for spammer to relay their mail because of bug. Once
we
> >turn it off, that traffic stop. Sun came out a with a security patch to
fix
> >it. The problem is now fixed. We have it on.  I don't know about for Raq
> >Cache 4.
> >
> >Do you have the Raq4 Cache on the DMZ port of the SonicWall? If so what
> >model do you have?
> >
> >-Randy
> >
> >-----Original Message-----
> >From: cobalt-security-admin@xxxxxxxxxxxxxxx
> >[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Dave @ The
> >Hostworks
> >Sent: Monday, April 07, 2003 7:59 AM
> >To: cobalt-security@xxxxxxxxxxxxxxx
> >Subject: Re: [cobalt-security] HELP- CacheRaq4 being attacked
> >
> >
> >Are you sure the traffic is generated by smtp?
> >
> >A aggressive spammer can actually send out mass messages, and cloaking
your
> >hostname, so in return, you get the undeliverable messages... Even if it
was
> >sent from some other server, and some other idiot spammer.
> >
> >
> >----- Original Message -----
> >From: "Dawn D. Pfaltzgraff" <ddpfz@xxxxxxxxxx>
> >To: <cobalt-security@xxxxxxxxxxxxxxx>
> >Sent: Monday, April 07, 2003 10:33 AM
> >Subject: [cobalt-security] HELP- CacheRaq4 being attacked
> >
> >
> > > Over the past couple of days have noticed the traffic for a CacheRaq4
at
> > > one of our schools is seeing an INSANE amount of traffic.  Also the
> > > administrator there keeps receiving a whole bunch of mail returned
mail.
> > > (vulnerable SMTP, seems to be "undeliverable" spam).  So anybody got
any
> > > ideas? It's behind a Sonic Wall and the following ports are the only
ones
> > > that appear to be open, netbios (137,138), telnet and squid (SMTP is
> > > opened).  Now I have also noticed that everytime a "Squid child"
starts up
> > > it exits on  "signal 6".  I'm not sure where to start on this one, if
> > > anyone has any suggestions, please let me know.    As for updates, the
box
> > > has been updated with the Cobalt updates and nothing else.  Other than
> > > that... it's straight out of the box.  Is squid a problem or
something?
> > >
> > > Thanks,
> > > Dawn
> > >
> > >
> > > Dawn D. Pfaltzgraff
> > > System Administrator
> > > Premier Systems -plains.net
> > > ddpfz@xxxxxxxxxx
> > > (970-848-0475)
> > >
> > >
> > > _______________________________________________
> > > cobalt-security mailing list
> > > cobalt-security@xxxxxxxxxxxxxxx
> > > http://list.cobalt.com/mailman/listinfo/cobalt-security
> > >
> >
> >
> >_______________________________________________
> >cobalt-security mailing list
> >cobalt-security@xxxxxxxxxxxxxxx
> >http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
> >
> >
> >
> >
> >--__--__--
> >
> >_______________________________________________
> >cobalt-security mailing list
> >cobalt-security@xxxxxxxxxxxxxxx
> >http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
> >
> >End of cobalt-security Digest
>
>
> Dawn D. Pfaltzgraff
> System Administrator
> Premier Systems -plains.net
> ddpfz@xxxxxxxxxx
> (970-848-0475)
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>