[cobalt-users] Raq3 Logcheck question & other hack questions

["Tony" <isplists@xxxxxxxxxxxx>]

How does one verify that logcheck is working?

After installing it with a half-hourly cron entry seemed to work and
and sent two alert emails 30 minutes apart. Since then nothing and the
secure log has entries like this that I would think would trigger an alert:

Feb 16 07:56:05 ww2 proftpd[20871]: edited.net
(e220037.upc-e.chello.nl[213.93.220.37]) - no such user 'anonymous'
Feb 16 07:56:05 ww2 last message repeated 4 times
Feb 16 07:56:05 ww2 proftpd[20871]: edited.net
(e220037.upc-e.chello.nl[213.93.220.37]) - USER anonymous (Login failed):
Can't find user.
Feb 16 07:56:06 ww2 proftpd[20871]: edited.net
(e220037.upc-e.chello.nl[213.93.220.37]) - FTP session closed.

Also Logcheck on a Raq4 has not generated a single report.


BTW, with all the attention on the Bind Exploit the ProFTP exploit was
overlooked.
The RPM release announcements last week seemed to focus on Bind and as I had
already patched Bind I didn't pay close attention
to them and overlooked the ProFTP rpms. Seems 2 of my Raqs were hacked via
the ProFTP exploits. And to think in a weeks time Cobalt STILL
hasn't released a ProFTP pkg release. Is Cobalt still taking the stance that
installing a RPM via the command line is a warranty-voiding event?

If the RPMs were installed do you have to install the pkg version when it's
released? Are changes made from the time the 'experimental' RPM's are
released
to the time the 'official' PKG's are released?

What's the best procedure for flattening a hacked production Raq3? Would one
use the CMU utility to move the sites off the infected box and then back
again?
I'm hesitant about using it since the last time it hosed all the site cgi's.

Has or will Cobalt release some type of Sun/Cobalt official procedure
guideline paper on restoring a hacked Production Server Appliance?

Does anyone have any comments, opinions on whether Sun/Cobalt is doing
enough to deal with this fiasco?