Bruce, We are using ipchains, thanks to Gerald ;-). Not sure what or if it logs. I'll have to dig around.
Not using this Qube 3 for anything more than email and no one but me has shell access. And it is completely up to date on patches including the two that have come out the last two weeks (Proftpd today and Mutt last week); even though the thing has been EOL'd on 2/17/2004 with an update from Sun (?) :-) Qube3-All-Security-4.0.1-14935 1.0 Squid Security Update 1/8/2003 That the one you were thinking of ? Thanks ! Chuck -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruce Timberlake Sent: Tuesday, April 20, 2004 1:42 PM To: [EMAIL PROTECTED] Subject: [cobalt-security] Re: Need some help on "spam" report Are there any CGI- or PHP-based forms-to-mail on the server? That's the most common way to exploit a "locked" server. Or does anyone have shell access? You could look at their .bash_history files and see if they did anything via commandline. I also don't know if the webmail on the Qube can be used to send spam. And check to make sure you have Squid patched up (or ideally disabled); there was a fairly nasty exploit for it a while back. That might be how they got through as well. Well, you'd have to have some sort of iptables/ipchains-like recording of your HTTP traffic, and then look through it for any connections to posting.google.com (216.239.37.122). But there's no way to do this retroactively if you didn't have logging in place at the time. And that would only tell you that an HTTP session was initiated, not *how* it was done. Active Monitor processes the logs every hour now. That was done in reaction to customer complaints that the logs weren't being processed quickly enough on the older products... :) The setting might be in /etc/logrotate.conf, but I think Active Monitor is configured in CCE, so you'd have to find the relevant entry there and modify it. _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
