[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Re: Need some help on "spam" report
- Subject: [cobalt-security] Re: Need some help on "spam" report
- From: Bruce Timberlake <bruce@xxxxxxxxxx>
- Date: Tue, 20 Apr 2004 11:41:54 -0700
- Organization: BRTNet.org
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> I got a report that our Qube had been used for Spam and as far as I know it
> is locked down pretty tight so I don't know what to make of this.
Are there any CGI- or PHP-based forms-to-mail on the server? That's the most
common way to exploit a "locked" server.
Or does anyone have shell access? You could look at their .bash_history files
and see if they did anything via commandline.
I also don't know if the webmail on the Qube can be used to send spam.
And check to make sure you have Squid patched up (or ideally disabled); there
was a fairly nasty exploit for it a while back. That might be how they got
through as well.
> I had one person on the Dshield list say to check the maillogs and I tried
> that but they only go back to 4/16 and this happened on 4/13. Then someone
> else just noted that they are not aware of any way to spoof the
> NNTP-Posting-Host that shows our IP address in this email and You'll
> have to look for outbound HTTP connections to posting.google.com from your
> IP, not SMTP transactions.
>
> So how do I do that ?
Well, you'd have to have some sort of iptables/ipchains-like recording of your
HTTP traffic, and then look through it for any connections to
posting.google.com (216.239.37.122). But there's no way to do this
retroactively if you didn't have logging in place at the time. And that would
only tell you that an HTTP session was initiated, not *how* it was done.
> And is there a way to keep logs from rolling off so fast ?
Active Monitor processes the logs every hour now. That was done in reaction to
customer complaints that the logs weren't being processed quickly enough on
the older products... :) The setting might be in /etc/logrotate.conf, but I
think Active Monitor is configured in CCE, so you'd have to find the relevant
entry there and modify it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFAhW7yhI2So2rhOmcRAo0TAJ4sI4iXfvEo1FOnvi+/Z66iOZXD5wCeJudw
S6LceNpjJRRAWQyTi/wATLI=
=sRYo
-----END PGP SIGNATURE-----