[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Re: Need some help on "spam" report
- Subject: RE: [cobalt-security] Re: Need some help on "spam" report
- From: "Chuck Lewis" <clewis@xxxxxxxxxx>
- Date: Tue, 20 Apr 2004 14:29:54 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Bruce,
We are using ipchains, thanks to Gerald ;-). Not sure what or if it logs.
I'll have to dig around.
Not using this Qube 3 for anything more than email and no one but me has
shell access.
And it is completely up to date on patches including the two that have come
out the last two weeks (Proftpd today and Mutt last week); even though the
thing has been EOL'd on 2/17/2004 with an update from Sun (?) :-)
Qube3-All-Security-4.0.1-14935 1.0 Squid Security Update 1/8/2003
That the one you were thinking of ?
Thanks !
Chuck
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx] On Behalf Of Bruce Timberlake
Sent: Tuesday, April 20, 2004 1:42 PM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: [cobalt-security] Re: Need some help on "spam" report
Are there any CGI- or PHP-based forms-to-mail on the server? That's the most
common way to exploit a "locked" server.
Or does anyone have shell access? You could look at their .bash_history
files
and see if they did anything via commandline.
I also don't know if the webmail on the Qube can be used to send spam.
And check to make sure you have Squid patched up (or ideally disabled);
there
was a fairly nasty exploit for it a while back. That might be how they got
through as well.
Well, you'd have to have some sort of iptables/ipchains-like recording of
your
HTTP traffic, and then look through it for any connections to
posting.google.com (216.239.37.122). But there's no way to do this
retroactively if you didn't have logging in place at the time. And that
would
only tell you that an HTTP session was initiated, not *how* it was done.
Active Monitor processes the logs every hour now. That was done in reaction
to customer complaints that the logs weren't being processed quickly enough
on the older products... :) The setting might be in /etc/logrotate.conf,
but I think Active Monitor is configured in CCE, so you'd have to find the
relevant entry there and modify it.