G'day listers Friend of mine got this email from his strictly PC IT manager, blaming him for an attack on his network via my mates Power Mac (which is on the network).
I can't really help him, but knowing you guys, someone will know what's going on. This IT guy is very, very anti Mac. Asterisks are mine. Any advice please. Regards Santa Begin forwarded message: > Subject: wtf is this guy taking about? > > Pls, if you can find time I've a favor can you clue me in to what to tell > this fn IT guy who sent me the below and my VICE PRESIDENT this **** > Begin forwarded message: > > > Take a look at the two messages that I got from the firewall. And then the > reference material below that. Try to figure out what your system is trying > to do. The ip address you were going to doesn't show up in DNS and it only > shows up as an Akamai site provided by MCI / Verizon. It is possible you're > running Apache as part of something else that got installed any you are not > intentionally using it. Look for a process called httpd. That would be the > server process running. Kill it and stop it from running automatically if you > didn't set it up. If you did, try getting updates so fix this hole. > > > Subject: NetScreen Event Alarms Reported From UEI-SSG140 > > [00001] 2010-05-14 12:42:54 [Root]system-critical-00601: > HTTP:APACHE:MODPHP-UPLOAD-HOF has been detected from 150.2.0.***/57750 to > **.*.**,***/** through policy 8 1 times. > > [00002] 2010-05-14 12:42:49 [Root]system-critical-00601: > HTTP:APACHE:MODPHP-UPLOAD-HOF has been detected from 150.2.0.***/57749 > to**.*.**,***/** through policy 8 1 times. > > > Researched meaning. > > HTTP:APACHE:MODPHP-UPLOAD-HOF > Description > This signature detects attempts to exploit a known vulnerability against > mod_php in Apache. Attackers can send a maliciously crafted HTTP POST request > to execute arbitrary code on the affected server. > Severity > CRITICAL > Group > HTTP:APACHE > Supported By > sos-5.1.0, idp-sos-3.0, sos-5.2.0, idp-3.2.0, sos-5.3.0-Default, > sos-5.3.0-SMB-Server, idp-4.0.0, idp-3.2r2, idp-4.1.0, idp-sos-3.4.0, > idp-jsrx-9.4, idp-sos-3.5.0, idp-srx-9.2, idp-4.2.0, idp-jservices-9.4, > idp-5.0.0, idp-jsr-9.5, idp-sos-3.4.125129, idp-4.0.110090709, > idp-4.0.110090831, idp-4.1.110090831, idp-4.2.110090831, idp-5.0.110090831, > idp-sos-3.1.134269, idp-sos-3.5.134268, idp-4.2.110091104, idp-5.0.110091104, > idp-4.1.110091104, idp-sos-3.1.134919, idp-sos-3.4.134907, > idp-sos-3.5.134907, idp-4.1.110100209, idp-4.2.110100209, idp-5.0.110100209 > Extended Description > PHP is a widely deployed scripting language, designed for web based > development and CGI programming. PHP does not perform proper bounds checking > on in functions related to Form-based File Uploads in HTML (RFC1867). > Specifically, this problem occurs in the functions which are used to decode > MIME encoded files. As a result, it may be possible to overrun the buffer > used for the vulnerable functions to cause arbitrary attacker-supplied > instructions to be executed. PHP is invoked through webservers remotely. It > may be possible for remote attackers to execute this vulnerability to gain > access to target systems. A vulnerable PHP interpreter module is available > for Apache servers that is often enabled by default. > Affected Products > •Cobalt Control Station 4100CS > •Cobalt Qube3 4000WG > •Cobalt Qube3 Japanese 4000WGJ > •Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ > •Cobalt Qube3 Japanese w/Caching 4010WGJ > •Cobalt Qube3 w/ Caching and RAID 4100WG > •Cobalt Qube3 w/Caching 4010WG > •Cobalt RaQ 550 > •Cobalt RaQ XTR 3500R > •Cobalt RaQ XTR Japanese 3500R-ja > •Cobalt RaQ4 3001R > •Cobalt RaQ4 Japanese RAID 3100R-ja > •Cobalt RaQ4 RAID 3100R > •Compaq Secure Web Server PHP > •Corporate Server > •Engarde Secure Linux > •LX50 > •Linux > •Linux Mandrake > •Mac OS X > •MediaBase > •Multi Network Firewall > •OpenLinux Server > •OpenLinux Workstation > •PHP > •Secure Linux > •Secure OS software for Linux > •Single Network Firewall > References > •X-Force: 8281 > •BugTraq ID: 4183 > •CVE: CVE-2002-0081 > •http://www.juniper.net/security/auto/vulnerabilities/vuln1085.html > > > > > > And what, you ask, was the beginning of it all? And it is this...... Existence that multiplied itself For sheer delight of being And plunged with numberless trillions of forms So that it might find itself innumerably Sri Aurobindo -- You received this message because you are a member of G-Group, a group for those using G3, G4, and G5 desktop Macs - with a particular focus on Power Macs. The list FAQ is at http://lowendmac.com/lists/g-list.shtml and our netiquette guide is at http://www.lowendmac.com/lists/netiquette.shtml To post to this group, send email to g3-5-list@googlegroups.com For more options, visit this group at http://groups.google.com/group/g3-5-list
