[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Re: Need some help on "spam" report

Subject: [cobalt-security] Re: Need some help on "spam" report
From: Bruce Timberlake <bruce@xxxxxxxxxx>
Date: Tue, 20 Apr 2004 11:41:54 -0700
Organization: BRTNet.org
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I got a report that our Qube had been used for Spam and as far as I know it
> is locked down pretty tight so I don't know what to make of this.

Are there any CGI- or PHP-based forms-to-mail on the server? That's the most 
common way to exploit a "locked" server.

Or does anyone have shell access? You could look at their .bash_history files 
and see if they did anything via commandline.

I also don't know if the webmail on the Qube can be used to send spam.

And check to make sure you have Squid patched up (or ideally disabled); there 
was a fairly nasty exploit for it a while back. That might be how they got 
through as well.

> I had one person on the Dshield list say to check the maillogs and I tried
> that but they only go back to 4/16 and this happened on 4/13. Then someone
> else just noted that they are not aware of any way to spoof the
> NNTP-Posting-Host that shows our IP address in this email and You'll 
> have to look for outbound HTTP connections to posting.google.com from your
> IP, not SMTP transactions.
>
> So how do I do that ?

Well, you'd have to have some sort of iptables/ipchains-like recording of your 
HTTP traffic, and then look through it for any connections to 
posting.google.com (216.239.37.122).  But there's no way to do this 
retroactively if you didn't have logging in place at the time. And that would 
only tell you that an HTTP session was initiated, not *how* it was done.

> And is there a way to keep logs from rolling off so fast ?

Active Monitor processes the logs every hour now. That was done in reaction to 
customer complaints that the logs weren't being processed quickly enough on 
the older products... :)  The setting might be in /etc/logrotate.conf, but I 
think Active Monitor is configured in CCE, so you'd have to find the relevant 
entry there and modify it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAhW7yhI2So2rhOmcRAo0TAJ4sI4iXfvEo1FOnvi+/Z66iOZXD5wCeJudw
S6LceNpjJRRAWQyTi/wATLI=
=sRYo
-----END PGP SIGNATURE-----

Follow-Ups:
- RE: [cobalt-security] Re: Need some help on "spam" report
  - From: Chuck Lewis

References:
- [cobalt-security] Need some help on "spam" report
  - From: Chuck Lewis

Prev by Date: Re: [cobalt-security] Need some help on "spam" report
Next by Date: RE: [cobalt-security] Need some help on "spam" report
Previous by thread: RE: [cobalt-security] Need some help on "spam" report
Next by thread: RE: [cobalt-security] Re: Need some help on "spam" report

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index