Re: possible hole in mozilla et al
At 15:38 2002-05-08 -0600, Tim Uckun wrote: The situation right now is that for production you run an ancient system or cross your fingers, hold your breath and run unstable. Coming from a corporate environment I hardly feel that stable is ancient. With most commercial operating systems the quality control seems so poor it takes a few years before we feel comfortable moving to a new release. But with Debian I can point to the unstable-testing-stable system and my boss understands that it has already gone through a 'teething' period before it's released. If Debian were to accelerate the path to stable too much stable would loose it's value to us. (unless security fixes were released for older stable versions) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: what's that?
It's a cron job belonging to root that changes its user before it goes to work. At 11:21 2002-04-05 +0600, Kirill Zverev wrote: Hi! I found that in my logs: Apr 4 06:25:01 cmss su[30315]: + ??? root-nobody Apr 4 06:25:01 cmss PAM_unix[30315]: (su) session opened for user nobody by (uid=0) who could use su at six o'clock in the morning? -- Regards, Kirill Zverev mailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: what's that?
It's a cron job belonging to root that changes its user before it goes to work. At 11:21 2002-04-05 +0600, Kirill Zverev wrote: Hi! I found that in my logs: Apr 4 06:25:01 cmss su[30315]: + ??? root-nobody Apr 4 06:25:01 cmss PAM_unix[30315]: (su) session opened for user nobody by (uid=0) who could use su at six o'clock in the morning? -- Regards, Kirill Zverev mailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache log entry
At 10:08 2001-10-09 +1000, brendan hack wrote: Hi All, I found a strange entry hidden among all the IIS exploit attempts in my apache access log today: 61.177.66.228 - - [07/Oct/2001:21:28:44 +1000] GET http://61.177.66.228:8283/ HTTP/1.0 200 756 Does anyone know if this is some sort of attack attempt? It doesn't seem to make any sense as a log entry as there is no leading '/' on the url portion and there is no corresponding error log entry saying that the file 'http://61.177.66.228:8283/' couldn't be found. I also find the fact that the client IP and the url are the same suspicious. I tried retrieving the same file myself using mozilla (http://webserver/http://61.177.66.228:8283/) and it created a similar access entry but with a '/' at the start of the url and there was an error log entry generated. There was a peak in traffic from the server the day after this log entry which instigated the check. Any suggestions will be appreciated. This may be an attack, or a scan for open HTTP proxies. The log line it self is a request for your server to act as a proxy, connecting to the URL shown in the logs. Apache will ignore the 'protocol://host:port' portion of the URL if it is not set up to do proxing. just being paranoid Paranoid is good. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: apache log entry
At 10:08 2001-10-09 +1000, brendan hack wrote: Hi All, I found a strange entry hidden among all the IIS exploit attempts in my apache access log today: 61.177.66.228 - - [07/Oct/2001:21:28:44 +1000] GET http://61.177.66.228:8283/ HTTP/1.0 200 756 Does anyone know if this is some sort of attack attempt? It doesn't seem to make any sense as a log entry as there is no leading '/' on the url portion and there is no corresponding error log entry saying that the file 'http://61.177.66.228:8283/' couldn't be found. I also find the fact that the client IP and the url are the same suspicious. I tried retrieving the same file myself using mozilla (http://webserver/http://61.177.66.228:8283/) and it created a similar access entry but with a '/' at the start of the url and there was an error log entry generated. There was a peak in traffic from the server the day after this log entry which instigated the check. Any suggestions will be appreciated. This may be an attack, or a scan for open HTTP proxies. The log line it self is a request for your server to act as a proxy, connecting to the URL shown in the logs. Apache will ignore the 'protocol://host:port' portion of the URL if it is not set up to do proxing. just being paranoid Paranoid is good.