What version of OS X is he running? Apache is active if he has "Web Sharing" enabled in 10.5, I think it's called "Personal Web Sharing" in 10.4.
-sri On May 15, 1:34 am, Brian Christmas <b...@tpg.com.au> wrote: > G'day listers > > Friend of mine got this email from his strictly PC IT manager, blaming him > for an attack on his network via my mates Power Mac (which is on the network). > > I can't really help him, but knowing you guys, someone will know what's going > on. > > This IT guy is very, very anti Mac. > > Asterisks are mine. > > Any advice please. > > Regards > > Santa > > Begin forwarded message: > > > > > > > Subject: wtf is this guy taking about? > > > Pls, if you can find time I've a favor can you clue me in to what to tell > > this fn IT guy who sent me the below and my VICE PRESIDENT this **** > > Begin forwarded message: > > > Take a look at the two messages that I got from the firewall. And then the > > reference material below that. Try to figure out what your system is trying > > to do. The ip address you were going to doesn't show up in DNS and it only > > shows up as an Akamai site provided by MCI / Verizon. It is possible > > you're running Apache as part of something else that got installed any you > > are not intentionally using it. Look for a process called httpd. That > > would be the server process running. Kill it and stop it from running > > automatically if you didn't set it up. If you did, try getting updates so > > fix this hole. > > > Subject: NetScreen Event Alarms Reported From UEI-SSG140 > > > [00001] 2010-05-14 12:42:54 [Root]system-critical-00601: > > HTTP:APACHE:MODPHP-UPLOAD-HOF has been detected from 150.2.0.***/57750 to > > **.*.**,***/** through policy 8 1 times. > > > [00002] 2010-05-14 12:42:49 [Root]system-critical-00601: > > HTTP:APACHE:MODPHP-UPLOAD-HOF has been detected from 150.2.0.***/57749 > > to**.*.**,***/** through policy 8 1 times. > > > Researched meaning. > > > HTTP:APACHE:MODPHP-UPLOAD-HOF > > Description > > This signature detects attempts to exploit a known vulnerability against > > mod_php in Apache. Attackers can send a maliciously crafted HTTP POST > > request to execute arbitrary code on the affected server. > > Severity > > CRITICAL > > Group > > HTTP:APACHE > > Supported By > > sos-5.1.0, idp-sos-3.0, sos-5.2.0, idp-3.2.0, sos-5.3.0-Default, > > sos-5.3.0-SMB-Server, idp-4.0.0, idp-3.2r2, idp-4.1.0, idp-sos-3.4.0, > > idp-jsrx-9.4, idp-sos-3.5.0, idp-srx-9.2, idp-4.2.0, idp-jservices-9.4, > > idp-5.0.0, idp-jsr-9.5, idp-sos-3.4.125129, idp-4.0.110090709, > > idp-4.0.110090831, idp-4.1.110090831, idp-4.2.110090831, idp-5.0.110090831, > > idp-sos-3.1.134269, idp-sos-3.5.134268, idp-4.2.110091104, > > idp-5.0.110091104, idp-4.1.110091104, idp-sos-3.1.134919, > > idp-sos-3.4.134907, idp-sos-3.5.134907, idp-4.1.110100209, > > idp-4.2.110100209, idp-5.0.110100209 > > Extended Description > > PHP is a widely deployed scripting language, designed for web based > > development and CGI programming. PHP does not perform proper bounds > > checking on in functions related to Form-based File Uploads in HTML > > (RFC1867). Specifically, this problem occurs in the functions which are > > used to decode MIME encoded files. As a result, it may be possible to > > overrun the buffer used for the vulnerable functions to cause arbitrary > > attacker-supplied instructions to be executed. PHP is invoked through > > webservers remotely. It may be possible for remote attackers to execute > > this vulnerability to gain access to target systems. A vulnerable PHP > > interpreter module is available for Apache servers that is often enabled by > > default. > > Affected Products > > •Cobalt Control Station 4100CS > > •Cobalt Qube3 4000WG > > •Cobalt Qube3 Japanese 4000WGJ > > •Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ > > •Cobalt Qube3 Japanese w/Caching 4010WGJ > > •Cobalt Qube3 w/ Caching and RAID 4100WG > > •Cobalt Qube3 w/Caching 4010WG > > •Cobalt RaQ 550 > > •Cobalt RaQ XTR 3500R > > •Cobalt RaQ XTR Japanese 3500R-ja > > •Cobalt RaQ4 3001R > > •Cobalt RaQ4 Japanese RAID 3100R-ja > > •Cobalt RaQ4 RAID 3100R > > •Compaq Secure Web Server PHP > > •Corporate Server > > •Engarde Secure Linux > > •LX50 > > •Linux > > •Linux Mandrake > > •Mac OS X > > •MediaBase > > •Multi Network Firewall > > •OpenLinux Server > > •OpenLinux Workstation > > •PHP > > •Secure Linux > > •Secure OS software for Linux > > •Single Network Firewall > > References > > •X-Force: 8281 > > •BugTraq ID: 4183 > > •CVE: CVE-2002-0081 > > •http://www.juniper.net/security/auto/vulnerabilities/vuln1085.html > > And what, you ask, was the beginning of it all? > And it is this...... > Existence that multiplied itself > For sheer delight of being > And plunged with numberless trillions of forms > So that it might > find > itself > innumerably > > Sri Aurobindo > > -- > You received this message because you are a member of G-Group, a group for > those using G3, G4, and G5 desktop Macs - with a particular focus on Power > Macs. > The list FAQ is athttp://lowendmac.com/lists/g-list.shtmland our netiquette > guide is athttp://www.lowendmac.com/lists/netiquette.shtml > To post to this group, send email to g3-5-list@googlegroups.com > For more options, visit this group athttp://groups.google.com/group/g3-5-list -- You received this message because you are a member of G-Group, a group for those using G3, G4, and G5 desktop Macs - with a particular focus on Power Macs. The list FAQ is at http://lowendmac.com/lists/g-list.shtml and our netiquette guide is at http://www.lowendmac.com/lists/netiquette.shtml To post to this group, send email to g3-5-list@googlegroups.com For more options, visit this group at http://groups.google.com/group/g3-5-list