-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 12, 2001 1:20 PM To: [EMAIL PROTECTED] Subject: cobalt-security digest, Vol 1 #377 - 20 msgs Send cobalt-security mailing list submissions to [EMAIL PROTECTED] To subscribe or unsubscribe via the World Wide Web, visit http://list.cobalt.com/mailman/listinfo/cobalt-security or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of cobalt-security digest..." Today's Topics: 1. RE: Come DownUnder and get a RaQ4 StoreSense for US$49 (AU$99)/mth OR own the server outright $149/month - 1 year - incs colocation + Unlimited Data Output (Tony) 2. RE: Come DownUnder and get a RaQ4 StoreSense for US$49 (AU$99)/mth OR own the server outright $149/month - 1 ear - incs colocation + Unlimited Data Output (WebHost Mail Center) 3. RE: OT - Come DownUnder and get a RaQ4 [...] (Francois Thomas) 4. RaQ4-All-Security Release 1.0.2-5-9769 (Achieve Website Design) 5. RE: Come DownUnder and get a RaQ4 StoreSense for US$49 (AU$99)/mth OR own the server outright $149/month - 1 year - incs colocation + Unlimited Data Output (Hostmaster) 6. AW: [cobalt-security] RaQ4-All-Security Release 1.0.2-5-9769 (Rob van Eijk) 7. Re: profile of a bind worm (Kevin D) 8. Re: RaQ4-All-Security Release 1.0.2-5-9769 (MikeM) 9. RE: Come DownUnder and get a RaQ4 SPAMMING ! (Vachon, Scott) 10. Re: Come DownUnder and get a RaQ4 SPAMMING ! (Kevin D) 11. Re: RaQ4-All-Security Release 1.0.2-5-9769 (Alex Collins) 12. RE: profile of a bind worm (Jabie Gray) 13. Re: RaQ4-All-Security Release 1.0.2-5-9769 (MikeM) 14. Re: profile of a bind worm (Kevin D) 15. Re: profile of a bind worm (Lawrence Frewin of Accommodation.com) 16. RE: profile of a bind worm (shimi) --__--__-- Message: 1 From: "Tony" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: RE: [cobalt-security] Come DownUnder and get a RaQ4 StoreSense for US$49 (AU$99)/mth OR own the server outright $149/month - 1 year - incs colocation + Unlimited Data Output Date: Mon, 11 Jun 2001 22:34:51 -0500 Reply-To: [EMAIL PROTECTED] > >Hello All, > >We wanted to announce this offer to the Cobalt community before we >announce it to the press and other news outlets. We think we have > Nice spam but I prefer my spam with eggs over easy and a lot of ketchup. Don't forget to tell everyone about the $500 a month in minimum store licenses that Kurant will hit them for. --__--__-- Message: 2 Date: Tue, 12 Jun 2001 15:00:51 +1000 To: [EMAIL PROTECTED] From: WebHost Mail Center <[EMAIL PROTECTED]> Subject: RE: [cobalt-security] Come DownUnder and get a RaQ4 StoreSense for US$49 (AU$99)/mth OR own the server outright $149/month - 1 year - incs colocation + Unlimited Data Output Reply-To: [EMAIL PROTECTED] Hi Tony, Thanks for the reply. Sorry my spam offended you, and anyone else on the list who took offense, it wasn't meant to. Some people were interested so I took a risk. Since you mentioned StoreSense I though I would clarify that point too. The min licensing fee might be true in the US, but here in Australia there is NO minimum store licensing fee charged by StoreSense Australia - http://www.storesense.com.au You get the Site Store and the Retroactive Demo Store free, and you only pay for additional stores you open up, which presumably you have on sold to customers. Thank you for your comments I take them in the spirit they were intended. Kind regards, Tim Rignold Dedicated Servers Australia http://www.dedicatedservers.com.au > > >>Hello All, >> >>We wanted to announce this offer to the Cobalt community before we >>announce it to the press and other news outlets. We think we have >> >Nice spam but I prefer my spam with eggs over easy and a lot of ketchup. >Don't forget to tell everyone about the $500 a month in minimum store >licenses that Kurant will hit them for. >_______________________________________________ >cobalt-security mailing list >[EMAIL PROTECTED] >http://list.cobalt.com/mailman/listinfo/cobalt-security -- _____________________________________________________________ Dedicated Servers Australia - BRISBANE Telephone + 61 7 3831 9111 80 Berry Street Facsimile + 61 7 3839 5442 Spring Hill Queensland mailto:[EMAIL PROTECTED] AUSTRALIA 4000 http://www.dedicatedservers.com.au A WEBHOST COMPANY - PROUDLY 100% AUSTRALIAN OWNED _____________________________________________________________ The information in this email is confidential. It is intended solely for the addressee(s). Access, copying or re-use of the information by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. _____________________________________________________________ --__--__-- Message: 3 From: Francois Thomas <[EMAIL PROTECTED]> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> Subject: RE: [cobalt-security] OT - Come DownUnder and get a RaQ4 [...] Date: Tue, 12 Jun 2001 10:51:57 +0200 Reply-To: [EMAIL PROTECTED] > -----Message d'origine----- > De : WebHost Mail Center [mailto:[EMAIL PROTECTED]] > Envoy� : mar. 12 juin 2001 07:01 > � : [EMAIL PROTECTED] > Objet : RE: [cobalt-security] Come DownUnder and get a RaQ4 StoreSense > for US$49 (AU$99)/mth OR own the server outright $149/month - 1 year - > incs colocation + Unlimited Data Output > > > Hi Tony, > > Thanks for the reply. Sorry my spam offended you, and anyone else on > the list who took offense, it wasn't meant to. Some people were > interested so I took a risk. Please remember for the future that people here are interested by COBALT SECURITY, and nothing else. > > Since you mentioned StoreSense I though I would clarify that point > too. Please remember for the future that people here have nothing to do with your commercial matters. I would be pleased to see this thread's end ASAP, and I'm sure I'm not the only one. Sorry for this noise. Regards Fran�ois --__--__-- Message: 4 From: "Achieve Website Design" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Date: Tue, 12 Jun 2001 10:08:30 +0100 Subject: [cobalt-security] RaQ4-All-Security Release 1.0.2-5-9769 Reply-To: [EMAIL PROTECTED] Hello, Ever since I installed the above package on May 24, my web stats have stopped working correctly. The stats on the Site Usage feature on the Raq do not get cleared each day, and what I have now are logs from May 24. I'm concerned in so far as that if this continues I will end up with very large log files. Has anyone else encountered this problem. Thanks, Declan Connolly. --__--__-- Message: 5 Date: Tue, 12 Jun 2001 17:43:59 +0800 To: [EMAIL PROTECTED] From: Hostmaster <[EMAIL PROTECTED]> Subject: RE: [cobalt-security] Come DownUnder and get a RaQ4 StoreSense for US$49 (AU$99)/mth OR own the server outright $149/month - 1 year - incs colocation + Unlimited Data Output Reply-To: [EMAIL PROTECTED] At 03:00 PM 12/06/2001 +1000, you wrote: >Thanks for the reply. Sorry my spam offended you, and anyone else on the >list who took offense, it wasn't meant to. Some people were interested so >I took a risk. It'd be a risk alright. The site claims "Dedicated Servers Australia is a wholly owned subsidiary of Australia's oldest Web Hosting company - WebHost Australia. Founded in March, 1995, WebHost was the first Australian company to create a specialized service that dealt solely with web hosting. In fact, we defined the industry by coining the term web hosting." There is no such business name (DBA) or company registered in Australia. Webhosts Australia was registered as a business name in 1999 - if it is the same firm (not company) it was registered four years later than claimed. If they lie about this, what else? Caveat Emptor. Time for a call to the ACCC with a printout of all these claims. Also no mention of who you'd be dealing with and no ACN/ABN numbers. Highly illegal. --__--__-- Message: 6 From: Rob van Eijk <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: AW: [cobalt-security] RaQ4-All-Security Release 1.0.2-5-9769 Date: Tue, 12 Jun 2001 11:50:44 +0200 Reply-To: [EMAIL PROTECTED] Check if your crond is running: ps -aux | grep crond You also might want to check: http://www.uk2raq.com/raqfaq/raqfaqshow.php?faq=27 -- MVG Rob van Eijk -----Urspr�ngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Im Auftrag von Achieve Website Design Gesendet: dinsdag 12 juni 2001 11:08 An: [EMAIL PROTECTED] Betreff: [cobalt-security] RaQ4-All-Security Release 1.0.2-5-9769 Hello, Ever since I installed the above package on May 24, my web stats have stopped working correctly. The stats on the Site Usage feature on the Raq do not get cleared each day, and what I have now are logs from May 24. I'm concerned in so far as that if this continues I will end up with very large log files. Has anyone else encountered this problem. Thanks, Declan Connolly. _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security --__--__-- Message: 7 From: "Kevin D" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Re: [cobalt-security] profile of a bind worm Date: Tue, 12 Jun 2001 08:58:05 -0400 Reply-To: [EMAIL PROTECTED] From: "Carrie Bartkowiak" <[EMAIL PROTECTED]> > > How are you restarting? your /etc/rc.d/init.d/named script should > have this > > in the start section: > > Should it have it in the hard-restart) section as well? It seems mine does not, but it should :) Kevin --__--__-- Message: 8 Date: Tue, 12 Jun 2001 09:28:37 -0400 From: "MikeM" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [cobalt-security] RaQ4-All-Security Release 1.0.2-5-9769 Reply-To: [EMAIL PROTECTED] On 6/12/01 at 10:08 AM Achieve Website Design wrote: | Hello, | Ever since I installed the above package on May 24, my web stats have | stopped working correctly. The stats on the Site Usage feature on the Raq | do | not get cleared each day, and what I have now are logs from May 24. I'm | concerned in so far as that if this continues I will end up with very | large | log files. Has anyone else encountered this problem. I have noticed two problems with my logs recently: 1) they are accumulating since May 24. 2) the domain lookups are not working, even though I have the option checked to report by domain names instead of IP addresses. I have not had the time to track this down, but it is interesting that you seem to have the May 24 problem also. --__--__-- Message: 9 From: "Vachon, Scott" <[EMAIL PROTECTED]> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> Subject: RE: [cobalt-security] Come DownUnder and get a RaQ4 SPAMMING ! Date: Tue, 12 Jun 2001 08:45:28 -0500 Reply-To: [EMAIL PROTECTED] >We wanted to announce this offer to the Cobalt community before we >announce it to the press and other news outlets. <Major sh*% snip>... OK..this was blatant spamming ! Hell, it wasn't even on the users list ! It MIGHT have been acceptable if you mentioned the deal and provided a link for more info. Read the Meta-Faq Tim ! ~s~ Disclaimer: My own two cents. --__--__-- Message: 10 From: "Kevin D" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Re: [cobalt-security] Come DownUnder and get a RaQ4 SPAMMING ! Date: Tue, 12 Jun 2001 10:07:00 -0400 Reply-To: [EMAIL PROTECTED] Yeah, and it even came in as a nasty text attachment in my email client... Kevin From: "Vachon, Scott" <[EMAIL PROTECTED]> > OK..this was blatant spamming ! Hell, it wasn't even on the users list ! It > MIGHT have been acceptable if you mentioned the deal and provided a link for > more info. Read the Meta-Faq Tim ! --__--__-- Message: 11 Date: Tue, 12 Jun 2001 16:00:28 +0100 To: [EMAIL PROTECTED] From: Alex Collins <[EMAIL PROTECTED]> Subject: Re: [cobalt-security] RaQ4-All-Security Release 1.0.2-5-9769 Reply-To: [EMAIL PROTECTED] In article <001001c0f31f$4a909920$7691869f@default>, Achieve Website Design <[EMAIL PROTECTED]> writes >Hello, >Ever since I installed the above package on May 24, my web stats have >stopped working correctly. Me 2 Same date - i have just started to have a look at what is going on in there and will report back. -- Alex Collins. Rivermead Library IT Support Technician. Rivermead Library. Tel:01245 493131 X3722 Fax: X3145 [EMAIL PROTECTED] http://libweb.apu.ac.uk This message has been ROT-13 Encrypted twice for Extra Security ! --__--__-- Message: 12 From: "Jabie Gray" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: RE: [cobalt-security] profile of a bind worm Date: Tue, 12 Jun 2001 08:09:33 -0700 Reply-To: [EMAIL PROTECTED] My named is running as root too. I see two instances of the daemon function in the /etc/rc.d/init.d/named script. One is for start, the other is for hard restart. Do I need to change both of them to use -u & -g options? Do I need to create the user and group of named? Thanks, Jabie mailto:[EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kevin D Sent: Monday, June 11, 2001 8:30 AM To: [EMAIL PROTECTED] Subject: Re: [cobalt-security] profile of a bind worm From: "Robson Martins" <[EMAIL PROTECTED]> > Hey all, i have bind-8.2.3 running here, my question is, when i run it with > start it is the user named but if i restart, it gets the root username, is > it a problem? Can i receive a worm with this problem? Named need always run > as named? Restart is really affecting the username? How are you restarting? your /etc/rc.d/init.d/named script should have this in the start section: daemon named -u named -g named Which should start bind as user named if you do this: /etc/rc.d/init.d/named stop /etc/rc.d/init.d/named start Bind running as root is a problem, but less of a problem if you have ver 8.2.3. If a new bind vulnerability is discovered for ver 8.2.3, a hacker could easily gain root access to your box. What saved me from the worst effects of a bind worm was bind running as named instead of root. Kevin _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security --__--__-- Message: 13 Date: Tue, 12 Jun 2001 11:39:14 -0400 From: "MikeM" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [cobalt-security] RaQ4-All-Security Release 1.0.2-5-9769 Reply-To: [EMAIL PROTECTED] On 6/12/01 at 4:00 PM Alex Collins wrote: | In article <001001c0f31f$4a909920$7691869f@default>, Achieve Website | Design <[EMAIL PROTECTED]> writes | >Hello, | >Ever since I installed the above package on May 24, my web stats have | >stopped working correctly. | | Me 2 | | Same date - i have just started to have a look at what is going on in | there and will report back. As a follow-up to my prior message on this topic... crond appears to be running fine on my box. Additionally, I have a RaQ3, not a RaQ4. I installed the RaQ3 version of this patch. --__--__-- Message: 14 From: "Kevin D" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Re: [cobalt-security] profile of a bind worm Date: Tue, 12 Jun 2001 11:46:44 -0400 Reply-To: [EMAIL PROTECTED] From: "Jabie Gray" <[EMAIL PROTECTED]> > My named is running as root too. Bad idea. > I see two instances of the daemon function in the /etc/rc.d/init.d/named > script. One is for start, the other is for hard restart. > Do I need to change both of them to use -u & -g options? Yes you should. > Do I need to create the user and group of named? Maybe. Check your /etc/passwd file. My guess is probably not. Kevin --__--__-- Message: 15 From: "Lawrence Frewin of Accommodation.com" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Re: [cobalt-security] profile of a bind worm Date: Tue, 12 Jun 2001 18:22:41 +0100 Reply-To: [EMAIL PROTECTED] We made the changes to the named file, but have subsequently found "couldn't create pid file /var/run/named.pid" in our logs. It looks like root permission is needed to create the "named.pid" file, but is it critical? LF ----- Original Message ----- From: "Kevin D" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 12, 2001 4:46 PM Subject: Re: [cobalt-security] profile of a bind worm > From: "Jabie Gray" <[EMAIL PROTECTED]> > > > My named is running as root too. > > Bad idea. > > > I see two instances of the daemon function in the /etc/rc.d/init.d/named > > script. One is for start, the other is for hard restart. > > Do I need to change both of them to use -u & -g options? > > Yes you should. > > > Do I need to create the user and group of named? > > Maybe. Check your /etc/passwd file. My guess is probably not. > > Kevin > > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security --__--__-- Message: 16 Date: Tue, 12 Jun 2001 11:45:38 -0700 (PDT) From: shimi <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: RE: [cobalt-security] profile of a bind worm Reply-To: [EMAIL PROTECTED] On Tue, 12 Jun 2001, Jabie Gray wrote: > My named is running as root too. > I see two instances of the daemon function in the /etc/rc.d/init.d/named > script. One is for start, the other is for hard restart. > Do I need to change both of them to use -u & -g options? Of course. Otherwise one of them will load as u/g named, while the other as root. > Do I need to create the user and group of named? If they don't already exist, yes. lines as follows: /etc/passwd: named:x:25:25:named nonpriviliged account:/etc/named:/bin/false /etc/group: named:x:25: > Thanks, > Jabie > mailto:[EMAIL PROTECTED] > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Kevin D > Sent: Monday, June 11, 2001 8:30 AM > To: [EMAIL PROTECTED] > Subject: Re: [cobalt-security] profile of a bind worm > > > From: "Robson Martins" <[EMAIL PROTECTED]> > > > Hey all, i have bind-8.2.3 running here, my question is, when i run it > with > > start it is the user named but if i restart, it gets the root username, is > > it a problem? Can i receive a worm with this problem? Named need always > run > > as named? Restart is really affecting the username? > > How are you restarting? your /etc/rc.d/init.d/named script should have this > in the start section: > > daemon named -u named -g named > > Which should start bind as user named if you do this: > > /etc/rc.d/init.d/named stop > /etc/rc.d/init.d/named start > > Bind running as root is a problem, but less of a problem if you have ver > 8.2.3. If a new bind vulnerability is discovered for ver 8.2.3, a hacker > could easily gain root access to your box. What saved me from the worst > effects of a bind worm was bind running as named instead of root. > > Kevin > > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security > > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security > --__--__-- _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security End of cobalt-security Digest _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
