[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] LION WORM still roaming- VERIFY, Verify, verify....

Subject: [cobalt-users] LION WORM still roaming- VERIFY, Verify, verify....
From: "Dave" <dridel@xxxxxx>
Date: Fri Apr 20 09:50:27 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

> At 08:24 19/04/01 +0100, Jamie Rossi wrote:
> >We were hacked this week on a RAQ3, and our Hosting provider (one of the
> >worlds largest gave us the following response......
=========================================================
> >Blocking service definitely was not our intention. It seems the "broken"
> >files were moved but were not replaced....hmmm. I have replaced the files
> >with known good files. Your server was compromised by the lion worm as it
> >was running BIND 8.2.2-P7 which is exploitable by this virus.

> >We did not use a Cobalt patch to fix the compromised servers - we had to
> >design custom scripts and gather files to fix them. I guess the patch
kits
> >made by Cobalt were not adequate to protect your machine against this
virus.
> >Cobalt must have decided that 8.2.2-P7 was good enough even though the
> >warnings said 8.2.3 was the answer. I'm not sure if they have a more
recent
> >patch kit or not.
=========================================================

Just bringing this thread over from the developers-list as I know there are
some newbies that should read this.
I had no problem updating BIND using the Cobalt patch, BUT:

I'm no guru that's for sure and in watching this list for a few months now,
there were numerous posts regarding the BIND update not working.  A few
people mentioned they had upgraded BIND with a new patch and yet it still
showed as the old/vulnerable BIND.  I have no idea who, what, where, when or
how but I just want to remind everyone to VERIFY the patches are working.
In this case 'ndc status' will show the current named version as others have
shown.  Also, rpm -q [package] will tell you which version of a particular
package is currently working. Example: rpm -q proftpd (will show you the
current running version of proFTP) or rpm -q bind !  I highly suggest
getting a linux book that has all the commands (400 pages of them) like
"Linux in a Nutshell", by O'Reilly.  If you get advice from someone
regarding a problem, it's always nice to refer to that section of the book
to learn more about the COMMAND and all switches and options.

Always VERIFY the updates have taken and thanks to the people here that
drilled that into my head!
D~

Prev by Date: Re: [cobalt-users] New to Cobalt peculiarites
Next by Date: Re: [cobalt-users] Web-based shared calender?
Previous by thread: Re: [cobalt-users] Strange named behaviour
Next by thread: [cobalt-users] Adding Mass Users to RaQ4

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index