From owner-freebsd-isp Sun Sep 16 10: 3:17 2001 Delivered-To: freebsd-isp@freebsd.org Received: from web20106.mail.yahoo.com (web20106.mail.yahoo.com [216.136.226.43]) by hub.freebsd.org (Postfix) with SMTP id B7DB437B405 for ; Sun, 16 Sep 2001 10:03:01 -0700 (PDT) Message-ID: <20010916170301.66091.qmail@web20106.mail.yahoo.com> Received: from [62.11.66.59] by web20106.mail.yahoo.com via HTTP; Sun, 16 Sep 2001 19:03:01 CEST Date: Sun, 16 Sep 2001 19:03:01 +0200 (CEST) From: =?iso-8859-1?q?Fabrizio=20Ravazzini?= Subject: Re: Mail Server - Round Robin Load Distribution To: Bob Martin Cc: freebsd-isp@freebsd.org In-Reply-To: <3BA3A4C1.C344A6F@buckhorn.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ok, so I understood that the right records are: domain.com IN MX 10 mail1.domain.com domain.com IN MX 10 mail2.domain.com mail1.domain.com IN A 1.2.3.4 mail2.domain.com IN A 1.2.3.5 but do I have load distribution whatever version of Bind installed in the nameserver? bye and thanks. --- Bob Martin ha scritto: > Len Conrad wrote: > > > > >Internet Explorer > V4.x, Outlook and Outlook > Express > V4.x, Netscape > > > >V4.x (On your Unix box, with netscape running, do > a ps -ax... that dns > > >helper is a caching resolver) Once any of these > find a working name==ip, > > >they will continue to use it until the pair > fails. > > > > hmm. ok, application-level caching. > > > > The corporate DNS admin who was desiging to roll > out W2K and AD to 60K > > desktops made the point of W2K "resolver" doing > caching. > > > > >I was being overly simplistic. But using multiple > RR's won't load > > >balance, it causes [hopefully] load sharing > > > > yes, if "balancing" implies load detection. > Alternating RR physical > > sequence is dumb load sharing, load distribution. > > > > >, assuming nothing between > > >the client and the authoritative server caches > the response from the > > >authoritative server. > > > > a caching BIND DNS will also respect its RRorder > param. > > > > > More to the point of this thread, and using > your > > >example, all of aol's mail servers have separate > names, and A records, > > >but have the same MX priority. And on high > traffic networks, DNS based > > >load sharing won't work for a number of reasons, > but primarily because > > >of client caching, > > > > it will and does work > > > > > and that this method of load distribution > doesn't > > >take server responsiveness into account. > > > > yep, it愀 dumb, but it愀 a lot better than no load > sharing. > Unless one of the servers in the round robin goes > down. > > > > For clarity on that last point, > > >I'll use the example of 2 mail servers with MX > records of equal > > >preference. Each will handle every other request. > But if every other > > >request is a list > > > > what愀 a query for a "list" ? > Think MTA, not DNS. List as in email list, like > FreeBSD-ISP. > > > > >, one server is going to end up doing a lot more > work > > >than the other, possibly to the point of failure. > > > > what? > See chapter 10 of the 3rd addition of DNS and Bind, > and FAQ.2of2 > question 5.13 (From ICS) > > > > > > While this tends to > > >affect web servers more than mail servers, it's > still the reason they > > >build load balancers. > > > > Note that DNS-based load balancers have extremely > short TTL's, which will > > slow the average access time due to loss of > caching. > > > > > There is also a problem with the authoritative > > >name servers and timing. If I dig at aol.com 10 > times in a row, I will > > >get cyclic answers. But if I dig at aol.com once > an hour for 10 hours > > >(which is far more likely in the real world) I'm > apt to get a much > > >higher incidence of the same response. > > > > why? > > > > >Again, this is a much bigger problem on a high > volume network. > > > > why? > Because sooner or later the authoritative DNS server > is going to forget > what it told my resolver, and will give me the first > item in the list. > High volume networks have more servers, and NS1 > doesn't have a clue what > NS2 just told me. Let alone NS3, NS4 and NS5. The > more infrequent my > queries, the more apt I am to be given the address > of the same server > twice in a row. A network that handles a million DNS > queries an hour > will dequeue old information more often than one > that answers a 1000 DNS > queries a day, once again improving my ability to > get the address of the > same server twice in a row. > > > > > > > ok, your answer is right, for the wrong > reasons. :)) > > >A different way of arriving at the same > conclusion perhaps? > > > > yes, my right way, and your wrong way. :)) > That's not what I get from RFC 974 :) > > > > > >Some place in the midst of this discussion, > somebody ought to point out > > >that no matter what you do, using CNAME's for > mail servers is a bad > > >idea. > > > > CNAME愀 are to be avoided. > > > > > Pick the MTA of your choice, go to their web > site, and you are > > >bound to find something about CNAME loops in the > FAQ. > > > > CNAME愀 are to be avoided. > > > > Much more common is an MX hostname being an ip > address. > > > > Len > > > > http://MenAndMice.com/DNS-training > > http://BIND8NT.MEIway.com : ISC BIND 8.2.4 for NT4 > & W2K > > http://IMGate.MEIway.com : Build free, hi-perf, > anti-abuse mail gateways > > > Bob > -- > But in our enthusiasm, we could not resist a radical > overhaul of the > system, in which all of its major weaknesses have > been exposed, > analyzed, and replaced with new weaknesses. > -- Bruce Leverett, "Register Allocation in > Optimizing Compilers" > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message ______________________________________________________________________ Do You Yahoo!? Il tuo indirizzo gratis e per sempre @yahoo.it su http://mail.yahoo.it To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Sun Sep 16 10:17:47 2001 Delivered-To: freebsd-isp@freebsd.org Received: from darkstar.buckhorn.net (lfkn-adsl-dhcp-net1-159.txucom.net [207.70.145.159]) by hub.freebsd.org (Postfix) with ESMTP id A928C37B405 for ; Sun, 16 Sep 2001 10:17:43 -0700 (PDT) Received: from buckhorn.net (darkstar.buckhorn.net [207.70.145.159]) by darkstar.buckhorn.net (Postfix) with ESMTP id 844E16E8F8; Sun, 16 Sep 2001 12:18:01 -0500 (CDT) Message-ID: <3BA4DEC9.6C8536@buckhorn.net> Date: Sun, 16 Sep 2001 12:18:01 -0500 From: Bob Martin X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Fabrizio Ravazzini Cc: freebsd-isp@freebsd.org Subject: Re: Mail Server - Round Robin Load Distribution References: <20010916170301.66091.qmail@web20106.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Fabrizio Ravazzini wrote: > > Ok, so I understood that the right records are: > > domain.com IN MX 10 mail1.domain.com > domain.com IN MX 10 mail2.domain.com > > mail1.domain.com IN A 1.2.3.4 > mail2.domain.com IN A 1.2.3.5 > > but do I have load distribution whatever version of > Bind installed in the nameserver? > bye and thanks. > --Edited for brevity This will work as long as you are using BIND from ISC.org. (That's what comes with FreeBSD) It will probably work with other name servers as well, but I don't have any first hand knowledge of that. As a footnote, you should be using BIND-8.2.4-REL or newer for security reasons. (Details at http://www.isc.org/bind/ ) To find out which version you are using, issue the following command: /usr/sbin/named -v Bob Martin. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Sun Sep 16 10:23:52 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mgw1.MEIway.com (mgw1.meiway.com [212.73.210.75]) by hub.freebsd.org (Postfix) with ESMTP id 0399F37B406 for ; Sun, 16 Sep 2001 10:23:49 -0700 (PDT) Received: from mail.Go2France.com (ms1.meiway.com [212.73.210.73]) by mgw1.MEIway.com (Postfix Relay Hub) with ESMTP id 9299916B13 for ; Sun, 16 Sep 2001 19:23:46 +0200 (CEST) Received: from IBM-HIRXKN66F0W.Go2France.com [66.64.14.18] by mail.Go2France.com with ESMTP (SMTPD32-6.06) id A2E019F4005A; Sun, 16 Sep 2001 19:35:28 +0200 Message-Id: <5.1.0.14.0.20010916122149.04e71640@mail.Go2France.com> X-Sender: LConrad@Go2France.com@mail.Go2France.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 16 Sep 2001 12:23:32 -0500 To: Freebsd-isp@freebsd.org From: Len Conrad Subject: Re: Mail Server - Round Robin Load Distribution In-Reply-To: <20010916170301.66091.qmail@web20106.mail.yahoo.com> References: <3BA3A4C1.C344A6F@buckhorn.net> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > domain.com IN MX 10 mail1.domain.com > domain.com IN MX 10 mail2.domain.com > > mail1.domain.com IN A 1.2.3.4 > mail2.domain.com IN A 1.2.3.5 correct, but don't forget those "root" dots at the end of you FQDN愀 >but do I have load distribution whatever version of >Bind installed in the nameserver? yes, by default RRset order is cyclical. Len http://MenAndMice.com/DNS-training http://BIND8NT.MEIway.com : ISC BIND 8.2.4 for NT4 & W2K http://IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Sun Sep 16 16:32:22 2001 Delivered-To: freebsd-isp@freebsd.org Received: from pericles.IPAustralia.gov.au (pericles.IPAustralia.gov.au [202.14.186.30]) by hub.freebsd.org (Postfix) with ESMTP id 77FB037B405 for ; Sun, 16 Sep 2001 16:32:17 -0700 (PDT) Received: (from smap@localhost) by pericles.IPAustralia.gov.au (8.11.3/8.11.1) id f8GNWGZ58117 for ; Mon, 17 Sep 2001 09:32:16 +1000 (EST) (envelope-from Stanley.Hopcroft@IPAustralia.gov.au) Received: from unknown(10.0.3.110) by pericles.IPAustralia.gov.au via smap (V2.1) id xma058087; Mon, 17 Sep 01 09:31:59 +1000 Received: (from anwsmh@localhost) by localhost.aipo.gov.au (8.11.3/8.11.1) id f8GNVxZ04286 for freebsd-isp@FreeBSD.ORG; Mon, 17 Sep 2001 09:31:59 +1000 (EST) (envelope-from anwsmh) Date: Mon, 17 Sep 2001 09:31:59 +1000 From: Stanley Hopcroft To: freebsd-isp@FreeBSD.ORG Subject: Re: MailServer+sms server + Fax server Message-ID: <20010917093158.B4260@IPAustralia.Gov.AU> Mime-Version: 1.0 Content-Type: message/rfc822 Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear Sir, I am writing to thak you for your letter and say that, On Wed, Sep 12, 2001 at 07:38:56PM +0300, Odhiambo Washington wrote: > * Fabrizio Ravazzini [20010910 10:31]: writing on the subject 'MailServer+sms server + Fax server' > | Hello all, I've to project a server as in the object > | of the mail. > | So the server must be : > | Mail Server > | sms server > | Fax Server. > | > | I'm able to make with FreeBSD the Mail Server with > | Qmail,Vpopmail,CouierImap & Sqwebmail, but for the sms > | and Fax...don't know what to look for. > | Are there some software easy to install and manage to > | realize sms and fax? > | I've found HylaFax but seems difficult to install... > > I can help you with HylaFAX to a good extent. Please give me a shout. > With SMS, you have to assist me. I also need it. SMSLink (from SourceForge.NET) is a Linux SMS server that I have been using on FreeBSD for about a year with reasonable results. The product - looks well designed and implemented (to my amature eye) - both sends and receives SMS messages (received messages go to email addresses) - needs a GSM modem (eg Wavecom WM 02) - relies on a Linux library called 'libmodem' - provides a socket interface with a simple ASCII protocol for sending SMS messages. It's easy to construct an email to SMS gateway for example. - supports via libmodem, multiple modems - actively developed and helpful developer. The only downside is that the Linux libmodem library doesn't seem to lock the modem properly under FreeBSD 4.x (4.3-RELEASE at the moment) and this leads to poor performance - ie delivery failure, delivery retry ad nauseum - under heavy SMS load (for delivery, outbound SMS via the modems). There is no package but the library cleanly. Someone may wish to take this on as a port/package. > > > -Wash > > -- > Odhiambo Washington Thank you, Yours sincerely. -- ------------------------------------------------------------------------ Stanley Hopcroft IP Australia Network Specialist +61 2 6283 3189 +61 2 6281 1353 (FAX) Stanley.Hopcroft@IPAustralia.Gov.AU ------------------------------------------------------------------------ "Nuclear war would mean abolition of most comforts, and disruption of normal routines, for children and adults alike." -- Willard F. Libby, "You *Can* Survive Atomic Attack" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Mon Sep 17 2:56:54 2001 Delivered-To: freebsd-isp@freebsd.org Received: from newcolo.invictanet.co.uk (newcolo.invictanet.co.uk [62.232.63.118]) by hub.freebsd.org (Postfix) with ESMTP id 07D2137B408 for ; Mon, 17 Sep 2001 02:56:48 -0700 (PDT) Received: from router (invictanet.claranet.co.uk [213.253.17.74]) by newcolo.invictanet.co.uk (8.11.1/8.11.1) with SMTP id f8H9ujY39145 for ; Mon, 17 Sep 2001 10:56:46 +0100 (BST) Reply-To: From: "Martyn Routley" To: "Freebsd-ISP" Subject: Looking for DNS advice Date: Mon, 17 Sep 2001 10:56:46 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <183367723.20010911171449@com2com.ru> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org We are soon making 2 fundamental changes to our network. 1) A change of provider, requiring us to change our IP address allocation. 2) A physical change of location. We expect to be "switched off" for no more than 2 hours while servers are moved from old to new locations. Both changes are happening at the same time. Can anybody suggest ways of configuring our DNS to ensure that we are visible again as soon as possible after the move? Martyn Routley ----------------------------------------------------- InvictaNet - The Internet in Plain English, Guaranteed http://www.invictanet.co.uk info@invictanet.co.uk phone: 08707 440180 fax: 08707 440181 ------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Mon Sep 17 3: 8: 7 2001 Delivered-To: freebsd-isp@freebsd.org Received: from jake.akitanet.co.uk (jake.akitanet.co.uk [212.1.130.131]) by hub.freebsd.org (Postfix) with ESMTP id 90EE437B43A for ; Mon, 17 Sep 2001 03:08:02 -0700 (PDT) Received: from dsl-212-135-208-201.dsl.easynet.co.uk ([212.135.208.201] helo=wopr.akitanet.co.uk) by jake.akitanet.co.uk with esmtp (Exim 3.13 #3) id 15ivJc-000F4c-00; Mon, 17 Sep 2001 11:07:49 +0100 Received: from wiggy by wopr.akitanet.co.uk with local (Exim 3.21 #2) id 15ivJm-0006ya-00; Mon, 17 Sep 2001 11:07:58 +0100 Date: Mon, 17 Sep 2001 11:07:58 +0100 From: Paul Robinson To: Martyn Routley Cc: Freebsd-ISP Subject: Re: Looking for DNS advice Message-ID: <20010917110758.E24811@jake.akitanet.co.uk> References: <183367723.20010911171449@com2com.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: ; from staff@invictanet.co.uk on Mon, Sep 17, 2001 at 10:56:46AM +0100 X-Scanner: exiscan *15ivJc-000F4c-00*$AK$uk5qmMB70i9TEs9.zGQXc1* Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sep 17, Martyn Routley wrote: > We are soon making 2 fundamental changes to our network. > > 1) A change of provider, requiring us to change our IP address allocation. > 2) A physical change of location. > > We expect to be "switched off" for no more than 2 hours while servers are > moved from old to new locations. > > Both changes are happening at the same time. Can anybody suggest ways of > configuring our DNS to ensure that we are visible again as soon as possible > after the move? Seven days before you move, bring your TTL and Expire in the zone files down to 3600 (one hour). When you go to move, bring it down to 5 minutes. When you've moved, bring it back upto a week again for normal service. All of this means that people are going to be querying you a lot and so will pick up the changes quite quickly when you move. However, some stupid Windows boxen will always cache for 7 days, no matter what you do. In an ideal world you would have kit on both sites, both IP ranges temporarily serving both and then you could do some clever round-robin'ing for a week or so. Alternatively, consider moving to something like 'eddie' for a while to help you juggle this. Good luck with changing all those NS records for the domains you're hosting (if you have many). :-) -- Paul Robinson ,--------------------------------------- Technical Director @ Akita | A computer lets you make more mistakes PO Box 604, Manchester, M60 3PR | than any other invention with the T: +44 (0) 161 228 6388 (F:6389)| possible exceptions of handguns and | Tequila - Mitch Ratcliffe `----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Mon Sep 17 5:12:42 2001 Delivered-To: freebsd-isp@freebsd.org Received: from digitaldaemon.com (digitaldaemon.com [63.105.9.34]) by hub.freebsd.org (Postfix) with SMTP id A869F37B406 for ; Mon, 17 Sep 2001 05:12:32 -0700 (PDT) Received: (qmail 27158 invoked from network); 17 Sep 2001 12:11:35 -0000 Received: from unknown (HELO digitaldaemon.com) (192.168.0.73) by digitaldaemon.com with SMTP; 17 Sep 2001 12:11:35 -0000 Message-ID: <3BA5E799.4040308@digitaldaemon.com> Date: Mon, 17 Sep 2001 08:07:53 -0400 From: Jan Knepper User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.2) Gecko/20010726 Netscape6/6.1 X-Accept-Language: en-us MIME-Version: 1.0 To: FreeBSD ISP , FreeBSD Questions , FreeBSD Hackers , FreeBSD Announce , ezmlm Subject: AWO!!!! (America Will Overcome!!!!) Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I found the following in one of my many mailboxes this morning. I thought it was great and really wanted to share it with everyone! Please, check out http://www.mp3.com/justjouett and play the song "Made In America" It certainly made my day! Thanks! Jan PS: What is stronger/better: AWO (America Will Overcome) ASO (America Shall Overcome) Better idea's?! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Mon Sep 17 7: 9:20 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mail.wanlogistics.net (mail.wanlogistics.net [63.209.114.3]) by hub.freebsd.org (Postfix) with ESMTP id B7ED637B40A for ; Mon, 17 Sep 2001 07:09:13 -0700 (PDT) Received: from bilver.wjv.com (spdsl-033.wanlogistics.net [63.209.115.33]) by mail.wanlogistics.net (8.9.3/8.9.3) with ESMTP id KAA03278; Mon, 17 Sep 2001 10:09:12 -0400 (EDT) (envelope-from bill@wjv.com) Received: (from bill@localhost) by bilver.wjv.com (8.11.6/8.11.1) id f8HE8jG06620; Mon, 17 Sep 2001 10:08:45 -0400 (EDT) (envelope-from bill) Date: Mon, 17 Sep 2001 10:08:45 -0400 From: Bill Vermillion To: Martyn Routley Cc: Freebsd-ISP Subject: Re: Looking for DNS advice Message-ID: <20010917100844.D6164@wjv.com> Reply-To: bv@wjv.com References: <183367723.20010911171449@com2com.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from staff@invictanet.co.uk on Mon, Sep 17, 2001 at 10:56:46AM +0100 Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Sep 17, 2001 at 10:56:46AM +0100, Martyn Routley thus sprach: > We are soon making 2 fundamental changes to our network. > 1) A change of provider, requiring us to change our IP address > allocation. 2) A physical change of location. > We expect to be "switched off" for no more than 2 hours while > servers are moved from old to new locations. > Both changes are happening at the same time. Can anybody suggest > ways of configuring our DNS to ensure that we are visible again as > soon as possible after the move? Another reply mentioned the changing the timing. I also made the changes at NSI so that one of the name server entries pointed to the old name server IP block and one to the new name IP block. Since those changes can take awhile I considered this an appropriate way at the time. Then after we got totally on the new network I changed the remaining NSI pointer. -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Tue Sep 18 10: 6:14 2001 Delivered-To: freebsd-isp@freebsd.org Received: from digitaldaemon.com (digitaldaemon.com [63.105.9.34]) by hub.freebsd.org (Postfix) with SMTP id BD3B337B40C for ; Tue, 18 Sep 2001 10:06:07 -0700 (PDT) Received: (qmail 86208 invoked from network); 18 Sep 2001 17:05:09 -0000 Received: from unknown (HELO digitaldaemon.com) (192.168.0.73) by digitaldaemon.com with SMTP; 18 Sep 2001 17:05:09 -0000 Message-ID: <3BA77DE8.8080304@digitaldaemon.com> Date: Tue, 18 Sep 2001 13:01:28 -0400 From: Jan Knepper User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.2) Gecko/20010726 Netscape6/6.1 X-Accept-Language: en-us MIME-Version: 1.0 To: FreeBSD ISP Subject: Code Red?! Content-Type: multipart/mixed; boundary="------------000803090402000102080303" Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. --------------000803090402000102080303 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Is today an other Code Red day or did I miss something somewhere? Jan --------------000803090402000102080303 Content-Type: text/plain; name="httpd-access.log" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="httpd-access.log" 63.105.91.99 - - [18/Sep/2001:13:00:22 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 299 63.105.91.99 - - [18/Sep/2001:13:00:22 -0400] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 299 "-" "-" 63.105.91.99 - - [18/Sep/2001:13:00:22 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 299 63.105.91.99 - - [18/Sep/2001:13:00:22 -0400] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 299 "-" "-" 63.105.91.99 - - [18/Sep/2001:13:00:23 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 63.105.91.99 - - [18/Sep/2001:13:00:23 -0400] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-" 63.105.91.99 - - [18/Sep/2001:13:00:23 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 63.105.91.99 - - [18/Sep/2001:13:00:23 -0400] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-" 63.105.91.99 - - [18/Sep/2001:13:00:23 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 63.105.91.99 - - [18/Sep/2001:13:00:23 -0400] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-" 63.105.91.99 - - [18/Sep/2001:13:00:24 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 63.105.91.99 - - [18/Sep/2001:13:00:24 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-" 63.105.91.99 - - [18/Sep/2001:13:00:27 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 63.105.91.99 - - [18/Sep/2001:13:00:27 -0400] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-" 63.105.91.99 - - [18/Sep/2001:13:00:27 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 63.105.91.99 - - [18/Sep/2001:13:00:27 -0400] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-" 63.105.91.99 - - [18/Sep/2001:13:00:27 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 63.105.91.99 - - [18/Sep/2001:13:00:27 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-" 63.105.91.99 - - [18/Sep/2001:13:00:28 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 63.105.91.99 - - [18/Sep/2001:13:00:28 -0400] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-" 63.105.91.99 - - [18/Sep/2001:13:00:28 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 63.105.91.99 - - [18/Sep/2001:13:00:28 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-" 63.105.91.99 - - [18/Sep/2001:13:00:28 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 63.105.91.99 - - [18/Sep/2001:13:00:28 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-" 63.105.91.99 - - [18/Sep/2001:13:00:29 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288 63.105.91.99 - - [18/Sep/2001:13:00:29 -0400] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288 "-" "-" 63.105.91.99 - - [18/Sep/2001:13:00:29 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288 63.105.91.99 - - [18/Sep/2001:13:00:29 -0400] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 288 "-" "-" 63.105.91.99 - - [18/Sep/2001:13:00:29 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 63.105.91.99 - - [18/Sep/2001:13:00:29 -0400] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-" 63.105.91.99 - - [18/Sep/2001:13:00:29 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 63.105.91.99 - - [18/Sep/2001:13:00:29 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 299 "-" "-" --------------000803090402000102080303-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Tue Sep 18 10: 7:49 2001 Delivered-To: freebsd-isp@freebsd.org Received: from EXCHANGE.bwalk.com (exchange.bwalk.com [139.142.15.70]) by hub.freebsd.org (Postfix) with ESMTP id 24BC737B407 for ; Tue, 18 Sep 2001 10:07:45 -0700 (PDT) Received: by EXCHANGE.bwalk.com with Internet Mail Service (5.5.2653.19) id ; Tue, 18 Sep 2001 11:06:48 -0600 Message-ID: <493DE418616E9D48A5DB8E9FAAE1A8CF03F5C4D4@EXCHANGE.bwalk.com> From: Adam Serediuk To: 'Jan Knepper' , FreeBSD ISP Subject: RE: Code Red?! Date: Tue, 18 Sep 2001 11:06:42 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A similar worm is in deed out, just an hour ago it started. You can get some information at http://www.trusecure.com/html/tspub/hypeorhot/rxalerts/tsa01024_cid177.shtml "We cannot discount the coincidence of the date and time of release, exactly one week to (probably to the minute) as the World Trade Center attack ." Draw your own conclusions. -----Original Message----- From: Jan Knepper [mailto:jan@digitaldaemon.com] Sent: Tuesday, September 18, 2001 11:01 AM To: FreeBSD ISP Subject: Code Red?! Is today an other Code Red day or did I miss something somewhere? Jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Tue Sep 18 10: 8:40 2001 Delivered-To: freebsd-isp@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 5A47737B414 for ; Tue, 18 Sep 2001 10:08:32 -0700 (PDT) Received: by peitho.fxp.org (Postfix, from userid 1501) id 769991361D; Tue, 18 Sep 2001 13:08:26 -0400 (EDT) Date: Tue, 18 Sep 2001 13:08:26 -0400 From: Chris Faulhaber To: Jan Knepper Cc: FreeBSD ISP Subject: Re: Code Red?! Message-ID: <20010918130826.A16424@peitho.fxp.org> References: <3BA77DE8.8080304@digitaldaemon.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="azLHFNyN32YCQGCU" Content-Disposition: inline In-Reply-To: <3BA77DE8.8080304@digitaldaemon.com> User-Agent: Mutt/1.3.20i Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --azLHFNyN32YCQGCU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 18, 2001 at 01:01:28PM -0400, Jan Knepper wrote: > Is today an other Code Red day or did I miss something somewhere? >=20 > Jan >=20 Nope, just another IIS worm: http://www.trusecure.com/html/tspub/hypeorhot/rxalerts/tsa01024_cid177.shtml --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --azLHFNyN32YCQGCU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjunf4kACgkQObaG4P6BelDQGgCffr05++furtT+8Im6c04Cs73y z10AoIqa2wEUVAQ3/mqOIsVozu+g0y7s =0U/q -----END PGP SIGNATURE----- --azLHFNyN32YCQGCU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Tue Sep 18 10:10:49 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mailer.seidata.com (mail1.seidata.com [206.162.192.15]) by hub.freebsd.org (Postfix) with ESMTP id CC6EF37B40B for ; Tue, 18 Sep 2001 10:10:46 -0700 (PDT) Received: from wopr (wopr.seidata.com [206.162.192.54]) by mailer.seidata.com (8.11.6/8.11.6) with SMTP id f8IHAfF34714 for ; Tue, 18 Sep 2001 13:10:41 -0400 (EDT) (envelope-from pboehmer@seidata.com) Message-Id: <3.0.6.32.20010918131041.41301100@mail.seidata.com> X-Sender: pboehmer@mail.seidata.com X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Tue, 18 Sep 2001 13:10:41 -0400 To: freebsd-isp@freebsd.org From: Paul Boehmer Subject: Re: Code Red?! In-Reply-To: <3BA77DE8.8080304@digitaldaemon.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 01:01 PM 9/18/01 -0400, you wrote: >Is today an other Code Red day or did I miss something somewhere? > >Jan > Slashdot has reported this as a new kind of attack. All of my "BSD" web servers are reporting similar activity. +--------------------------------------------------------+ | Paul Boehmer SEI Data, Inc. | | Systems Administrator 888-200-4392 [V] | | pboehmer@seidata.com 812-744-8000 [F] | +--------------------------------------------------------+ 5 out 4 people have problems with fractions To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Tue Sep 18 11:19:36 2001 Delivered-To: freebsd-isp@freebsd.org Received: from thud.tbe.net (thud.tbe.net [209.123.109.174]) by hub.freebsd.org (Postfix) with ESMTP id A49C337B40E for ; Tue, 18 Sep 2001 11:19:32 -0700 (PDT) Received: by thud.tbe.net (Postfix, from userid 1001) id 3E1431C9453; Tue, 18 Sep 2001 14:17:25 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by thud.tbe.net (Postfix) with ESMTP id 3B0CDDCE4D; Tue, 18 Sep 2001 14:17:25 -0400 (EDT) Date: Tue, 18 Sep 2001 14:17:25 -0400 (EDT) From: "Gary D. Margiotta" To: Paul Boehmer Cc: freebsd-isp@freebsd.org Subject: Re: Code Red?! In-Reply-To: <3.0.6.32.20010918131041.41301100@mail.seidata.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Will also concur that we've seen it in our mix of BSD and Sun, Apache and NES/iPlanet servers. I have heard reports of a 'resurgence' of the Code Red worm. In addition, we just got word from one of our offices that there is another happy joy M$ Outlook-based e-mail attachement worm which goes through the address book, spams everyone in it and shares out the C: drive for unrestricted sharing. -Gary "Complexity breeds bugs. Bugs prevent adoption, lack of adoption results in death. Death not good." On Tue, 18 Sep 2001, Paul Boehmer wrote: > At 01:01 PM 9/18/01 -0400, you wrote: > >Is today an other Code Red day or did I miss something somewhere? > > > >Jan > > > > Slashdot has reported this as a new kind of attack. All of my "BSD" web servers are reporting similar activity. > > > +--------------------------------------------------------+ > | Paul Boehmer SEI Data, Inc. | > | Systems Administrator 888-200-4392 [V] | > | pboehmer@seidata.com 812-744-8000 [F] | > +--------------------------------------------------------+ > 5 out 4 people have problems with fractions > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Tue Sep 18 11:44:22 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mail.wanlogistics.net (mail.wanlogistics.net [63.209.114.3]) by hub.freebsd.org (Postfix) with ESMTP id 8123837B414 for ; Tue, 18 Sep 2001 11:44:18 -0700 (PDT) Received: from bilver.wjv.com (spdsl-033.wanlogistics.net [63.209.115.33]) by mail.wanlogistics.net (8.9.3/8.9.3) with ESMTP id OAA13966; Tue, 18 Sep 2001 14:44:13 -0400 (EDT) (envelope-from bill@wjv.com) Received: (from bill@localhost) by bilver.wjv.com (8.11.6/8.11.1) id f8IIhiK18229; Tue, 18 Sep 2001 14:43:44 -0400 (EDT) (envelope-from bill) Date: Tue, 18 Sep 2001 14:43:44 -0400 From: Bill Vermillion To: "Gary D. Margiotta" Cc: Paul Boehmer , freebsd-isp@FreeBSD.ORG Subject: Re: Code Red?! Message-ID: <20010918144344.B18054@wjv.com> Reply-To: bv@wjv.com References: <3.0.6.32.20010918131041.41301100@mail.seidata.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from gary@tbe.net on Tue, Sep 18, 2001 at 02:17:25PM -0400 Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Sep 18, 2001 at 02:17:25PM -0400, Gary D. Margiotta thus sprach: > Will also concur that we've seen it in our mix of BSD and Sun, > Apache and NES/iPlanet servers. > I have heard reports of a 'resurgence' of the Code Red worm. I appears to be named the 'nimda' worm. On some of my very lightly trafficed sites 60% of the log entries are error messages from that, both in the access and error logs. The log shows 9:31:15AM EST. I'm getting about 300 entries per hour in both the access log and the error log - and these sites are relatively obscure but well connected. > In addition, we just got word from one of our offices that there > is another happy joy M$ Outlook-based e-mail attachement worm > which goes through the address book, spams everyone in it and > shares out the C: drive for unrestricted sharing. And totally off subject there is an InfoWorld columnist today who pointed out the FrontPage license prohibits it's use on any site that disparages, MS, MSNBC, Expedia, and a few others. With the worms and this maybe a few more will rethink these products. -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Tue Sep 18 13:40:17 2001 Delivered-To: freebsd-isp@freebsd.org Received: from buffnet4.buffnet.net (buffnet4.buffnet.net [205.246.19.13]) by hub.freebsd.org (Postfix) with ESMTP id 0289D37B40E for ; Tue, 18 Sep 2001 13:40:11 -0700 (PDT) Received: from buffnet11.buffnet.net (buffnet11.buffnet.net [205.246.19.55]) by buffnet4.buffnet.net (8.9.3/8.8.7) with ESMTP id QAA99772; Tue, 18 Sep 2001 16:45:10 -0400 (EDT) (envelope-from shovey@buffnet.net) Date: Tue, 18 Sep 2001 16:39:30 -0400 (EDT) From: Stephen Hovey To: bv@wjv.com Cc: "Gary D. Margiotta" , Paul Boehmer , freebsd-isp@FreeBSD.ORG Subject: Re: Code Red?! In-Reply-To: <20010918144344.B18054@wjv.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I got an outage notice from sprint over what looked like a code red packet flood everyplace On Tue, 18 Sep 2001, Bill Vermillion wrote: > On Tue, Sep 18, 2001 at 02:17:25PM -0400, Gary D. Margiotta thus > sprach: > > > Will also concur that we've seen it in our mix of BSD and Sun, > > Apache and NES/iPlanet servers. > > > I have heard reports of a 'resurgence' of the Code Red worm. > > I appears to be named the 'nimda' worm. On some of my very lightly > trafficed sites 60% of the log entries are error messages from > that, both in the access and error logs. The log shows > 9:31:15AM EST. > > I'm getting about 300 entries per hour in both the access log and > the error log - and these sites are relatively obscure but well > connected. > > > In addition, we just got word from one of our offices that there > > is another happy joy M$ Outlook-based e-mail attachement worm > > which goes through the address book, spams everyone in it and > > shares out the C: drive for unrestricted sharing. > > And totally off subject there is an InfoWorld columnist today > who pointed out the FrontPage license prohibits it's use on any > site that disparages, MS, MSNBC, Expedia, and a few others. With > the worms and this maybe a few more will rethink these products. > -- > Bill Vermillion - bv @ wjv . com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Tue Sep 18 14:20: 8 2001 Delivered-To: freebsd-isp@freebsd.org Received: from smtp.kka.com (smtp.kka.com [63.141.65.2]) by hub.freebsd.org (Postfix) with ESMTP id 8ADE637B406 for ; Tue, 18 Sep 2001 14:20:03 -0700 (PDT) Subject: Re: Code Red?! To: freebsd-isp@FreeBSD.ORG X-Mailer: Lotus Notes Release 5.0.2a November 23, 1999 Message-ID: From: Eric_Stanfield@kenokozie.com Date: Tue, 18 Sep 2001 16:17:58 -0500 X-MIMETrack: Serialize by Router on Notes1st/Keno(Release 5.0.4 |June 8, 2000) at 09/18/2001 04:17:59 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I find it interesting that everyone I've talked to today has logged the initial nimda attack within 30 seconds of the time you listed below (after adjusting for timezones). Conspiracy theories aside, given what's been happening with the terrorist activities in this country (usa) somebody needs to put a large sized gun to Microsoft's corporate head and demand a complete and thorough security review of their operating system and applications as well as the patches to fix what I'm sure would be a big list of discovered problems. Independent review of the process would also be nice heh. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Eric Stanfield, K2Access Keno Kozie Associates 222 N LaSalle #1500 Chicago, IL 60606 (312) 332-3000 Bill Vermillion To: "Gary D. Margiotta" Sent by: cc: Paul Boehmer , freebsd-isp@FreeBSD.ORG owner-freebsd-isp@F Subject: Re: Code Red?! reeBSD.ORG 09/18/01 01:43 PM Please respond to bv On Tue, Sep 18, 2001 at 02:17:25PM -0400, Gary D. Margiotta thus sprach: > Will also concur that we've seen it in our mix of BSD and Sun, > Apache and NES/iPlanet servers. > I have heard reports of a 'resurgence' of the Code Red worm. I appears to be named the 'nimda' worm. On some of my very lightly trafficed sites 60% of the log entries are error messages from that, both in the access and error logs. The log shows 9:31:15AM EST. I'm getting about 300 entries per hour in both the access log and the error log - and these sites are relatively obscure but well connected. > In addition, we just got word from one of our offices that there > is another happy joy M$ Outlook-based e-mail attachement worm > which goes through the address book, spams everyone in it and > shares out the C: drive for unrestricted sharing. And totally off subject there is an InfoWorld columnist today who pointed out the FrontPage license prohibits it's use on any site that disparages, MS, MSNBC, Expedia, and a few others. With the worms and this maybe a few more will rethink these products. -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Tue Sep 18 17:20:43 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mail.wanlogistics.net (mail.wanlogistics.net [63.209.114.3]) by hub.freebsd.org (Postfix) with ESMTP id 40F4A37B416 for ; Tue, 18 Sep 2001 17:20:40 -0700 (PDT) Received: from bilver.wjv.com (spdsl-033.wanlogistics.net [63.209.115.33]) by mail.wanlogistics.net (8.9.3/8.9.3) with ESMTP id UAA16346; Tue, 18 Sep 2001 20:20:39 -0400 (EDT) (envelope-from bill@wjv.com) Received: (from bill@localhost) by bilver.wjv.com (8.11.6/8.11.1) id f8J0K9V20001; Tue, 18 Sep 2001 20:20:09 -0400 (EDT) (envelope-from bill) Date: Tue, 18 Sep 2001 20:20:05 -0400 From: Bill Vermillion To: Eric_Stanfield@kenokozie.com Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Code Red?! Message-ID: <20010918202005.B19613@wjv.com> Reply-To: bv@wjv.com References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from Eric_Stanfield@kenokozie.com on Tue, Sep 18, 2001 at 04:17:58PM -0500 Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Sep 18, 2001 at 04:17:58PM -0500, Eric_Stanfield@kenokozie.com thus sprach: > I find it interesting that everyone I've talked to today has > logged the initial nimda attack within 30 seconds of the time you > listed below (after adjusting for timezones). I've seen an accelleration of the attack this evening [EST]. I've had log files just exploiding in size. They are growing at well over 500 lines per minute. We have a small company doing specialized work and we have our own racks in a communications facility. The servers have 100Mbit uplinks into the OC-192 backbone so I'm not going to be limited by pipe width, which also means that I can't get faster too. I've just turned off all logging for web traffic as I didn't want to have the systems fall over for lack of drive space. Just a reminder here to check your log files to make sure something like this doesn't happen to you. Just a file guess but here the nimda traffic is probably about 5 times more than the highest CodeRed days. I'm sure glad I have NO MS machines that I maintain but a client has two in our racks and I called them about 1030 this AM. I wish them luck. -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Tue Sep 18 17:34:20 2001 Delivered-To: freebsd-isp@freebsd.org Received: from buffnet4.buffnet.net (buffnet4.buffnet.net [205.246.19.13]) by hub.freebsd.org (Postfix) with ESMTP id 9985837B401 for ; Tue, 18 Sep 2001 17:34:16 -0700 (PDT) Received: from buffnet11.buffnet.net (buffnet11.buffnet.net [205.246.19.55]) by buffnet4.buffnet.net (8.9.3/8.8.7) with ESMTP id UAA26308; Tue, 18 Sep 2001 20:39:51 -0400 (EDT) (envelope-from shovey@buffnet.net) Date: Tue, 18 Sep 2001 20:34:08 -0400 (EDT) From: Stephen Hovey To: bv@wjv.com Cc: Eric_Stanfield@kenokozie.com, freebsd-isp@FreeBSD.ORG Subject: Re: Code Red?! In-Reply-To: <20010918202005.B19613@wjv.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Actually this isnt all bad - alot of my competitors folded or even promote NT..and will fold... I refuse! FreeBSD is the way man! On Tue, 18 Sep 2001, Bill Vermillion wrote: > On Tue, Sep 18, 2001 at 04:17:58PM -0500, > Eric_Stanfield@kenokozie.com thus sprach: > > > I find it interesting that everyone I've talked to today has > > logged the initial nimda attack within 30 seconds of the time you > > listed below (after adjusting for timezones). > > I've seen an accelleration of the attack this evening [EST]. > > I've had log files just exploiding in size. They are growing at > well over 500 lines per minute. We have a small company doing > specialized work and we have our own racks in a communications > facility. The servers have 100Mbit uplinks into the OC-192 > backbone so I'm not going to be limited by pipe width, which also > means that I can't get faster too. > > I've just turned off all logging for web traffic as I didn't want > to have the systems fall over for lack of drive space. > > Just a reminder here to check your log files to make sure something > like this doesn't happen to you. > > Just a file guess but here the nimda traffic is probably about 5 > times more than the highest CodeRed days. I'm sure glad I have NO > MS machines that I maintain but a client has two in our racks and I > called them about 1030 this AM. I wish them luck. > > > -- > Bill Vermillion - bv @ wjv . com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Tue Sep 18 17:45:45 2001 Delivered-To: freebsd-isp@freebsd.org Received: from moat.teksupport.net.au (moat.teksupport.net.au [203.17.1.98]) by hub.freebsd.org (Postfix) with ESMTP id 3B04137B403 for ; Tue, 18 Sep 2001 17:45:37 -0700 (PDT) Received: from rob.secombe (robseco.secombe [192.168.1.2]) by moat.teksupport.net.au (8.11.0/8.11.0) with SMTP id f8J0jWF10936 for ; Wed, 19 Sep 2001 10:45:33 +1000 (EST) (envelope-from robseco@teksupport.net.au) Message-Id: <3.0.5.32.20010919104530.00795ca0@secombe> X-Sender: robseco@secombe X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Wed, 19 Sep 2001 10:45:30 +1000 To: freebsd-isp@freebsd.org From: Rob Secombe Subject: Re: Code Red?! In-Reply-To: <20010918202005.B19613@wjv.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I am unfortunate enough to have one NT box :( In case any of you are in similar situation this is what I have done. These worms appear only to attack using the ip address of the server on port 80 and not using a name, so at this stage they are not hitting the virtual webs, only the default web which has virtual directories with execute permissions set. I have all my customers sites running as virtual webs and have restricted the default server to just "localhost". The logs are growing with the rejection messages but I have relocated them to another drive where it won't hurt if it does fill up. Fingers crossed. Cheers Rob. At 20:20 18/09/01 -0400, you wrote: >On Tue, Sep 18, 2001 at 04:17:58PM -0500, >Eric_Stanfield@kenokozie.com thus sprach: > >> I find it interesting that everyone I've talked to today has >> logged the initial nimda attack within 30 seconds of the time you >> listed below (after adjusting for timezones). > >I've seen an accelleration of the attack this evening [EST]. > >I've had log files just exploiding in size. They are growing at >well over 500 lines per minute. We have a small company doing >specialized work and we have our own racks in a communications >facility. The servers have 100Mbit uplinks into the OC-192 >backbone so I'm not going to be limited by pipe width, which also >means that I can't get faster too. > >I've just turned off all logging for web traffic as I didn't want >to have the systems fall over for lack of drive space. > >Just a reminder here to check your log files to make sure something >like this doesn't happen to you. > >Just a file guess but here the nimda traffic is probably about 5 >times more than the highest CodeRed days. I'm sure glad I have NO >MS machines that I maintain but a client has two in our racks and I >called them about 1030 this AM. I wish them luck. > > >-- >Bill Vermillion - bv @ wjv . com > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-isp" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Tue Sep 18 17:48:37 2001 Delivered-To: freebsd-isp@freebsd.org Received: from buffnet4.buffnet.net (buffnet4.buffnet.net [205.246.19.13]) by hub.freebsd.org (Postfix) with ESMTP id 4B06337B410 for ; Tue, 18 Sep 2001 17:48:33 -0700 (PDT) Received: from buffnet11.buffnet.net (buffnet11.buffnet.net [205.246.19.55]) by buffnet4.buffnet.net (8.9.3/8.8.7) with ESMTP id UAA27627; Tue, 18 Sep 2001 20:53:59 -0400 (EDT) (envelope-from shovey@buffnet.net) Date: Tue, 18 Sep 2001 20:48:15 -0400 (EDT) From: Stephen Hovey To: Rob Secombe Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Code Red?! In-Reply-To: <3.0.5.32.20010919104530.00795ca0@secombe> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org No I have log junk on virtual hosts On Wed, 19 Sep 2001, Rob Secombe wrote: > Hi, > > I am unfortunate enough to have one NT box :( > > In case any of you are in similar situation this is what I have done. > > These worms appear only to attack using the ip address of the server on > port 80 and not using a name, so at this stage they are not hitting the > virtual webs, only the default web which has virtual directories with > execute permissions set. I have all my customers sites running as virtual > webs and have restricted the default server to just "localhost". The logs > are growing with the rejection messages but I have relocated them to > another drive where it won't hurt if it does fill up. Fingers crossed. > > Cheers > > Rob. > > > At 20:20 18/09/01 -0400, you wrote: > >On Tue, Sep 18, 2001 at 04:17:58PM -0500, > >Eric_Stanfield@kenokozie.com thus sprach: > > > >> I find it interesting that everyone I've talked to today has > >> logged the initial nimda attack within 30 seconds of the time you > >> listed below (after adjusting for timezones). > > > >I've seen an accelleration of the attack this evening [EST]. > > > >I've had log files just exploiding in size. They are growing at > >well over 500 lines per minute. We have a small company doing > >specialized work and we have our own racks in a communications > >facility. The servers have 100Mbit uplinks into the OC-192 > >backbone so I'm not going to be limited by pipe width, which also > >means that I can't get faster too. > > > >I've just turned off all logging for web traffic as I didn't want > >to have the systems fall over for lack of drive space. > > > >Just a reminder here to check your log files to make sure something > >like this doesn't happen to you. > > > >Just a file guess but here the nimda traffic is probably about 5 > >times more than the highest CodeRed days. I'm sure glad I have NO > >MS machines that I maintain but a client has two in our racks and I > >called them about 1030 this AM. I wish them luck. > > > > > >-- > >Bill Vermillion - bv @ wjv . com > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-isp" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Tue Sep 18 18: 7:46 2001 Delivered-To: freebsd-isp@freebsd.org Received: from imo-r02.mx.aol.com (imo-r02.mx.aol.com [152.163.225.98]) by hub.freebsd.org (Postfix) with ESMTP id 4D1B037B40C for ; Tue, 18 Sep 2001 18:07:43 -0700 (PDT) Received: from Bsdguru@aol.com by imo-r02.mx.aol.com (mail_out_v31_r1.7.) id m.135.1c537b7 (30963); Tue, 18 Sep 2001 21:07:36 -0400 (EDT) From: Bsdguru@aol.com Message-ID: <135.1c537b7.28d949d7@aol.com> Date: Tue, 18 Sep 2001 21:07:35 EDT Subject: Re: Code Red Solution To: adam@suitesystems.com Cc: isp@freebsd.org, jan@digitaldaemon.com MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: AOL 5.0 for Windows sub 139 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org We just installed this patch to etincs bandwidth manager that blocks all traffic from anyone that tries to access an unassigned IP address. So when they scan your network, as soon as they send to a bogus IP it firewalls out anything else they try to send so they cant scan you. Its pretty cool! You'll have to ask them for it, its new but it works great. Right now I have 14 scanners that its filtering. Bryan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Tue Sep 18 18: 9:16 2001 Delivered-To: freebsd-isp@freebsd.org Received: from moat.teksupport.net.au (moat.teksupport.net.au [203.17.1.98]) by hub.freebsd.org (Postfix) with ESMTP id CF02A37B401 for ; Tue, 18 Sep 2001 18:09:09 -0700 (PDT) Received: from rob.secombe (robseco.secombe [192.168.1.2]) by moat.teksupport.net.au (8.11.0/8.11.0) with SMTP id f8J198F11199 for ; Wed, 19 Sep 2001 11:09:08 +1000 (EST) (envelope-from robseco@teksupport.net.au) Message-Id: <3.0.5.32.20010919110906.0377d560@secombe> X-Sender: robseco@secombe X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Wed, 19 Sep 2001 11:09:06 +1000 To: freebsd-isp@FreeBSD.ORG From: Rob Secombe Subject: Re: Code Red?! In-Reply-To: References: <3.0.5.32.20010919104530.00795ca0@secombe> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yeah you're right. I have just noticed a couple of the virtual webs have been hit as well, but not nearly as often. So far it hasn't had any success finding anything to execute. Commenced nail biting. Rob. At 20:48 18/09/01 -0400, Stephen Hovey wrote: >No I have log junk on virtual hosts > >On Wed, 19 Sep 2001, Rob Secombe wrote: > >> Hi, >> >> I am unfortunate enough to have one NT box :( >> >> In case any of you are in similar situation this is what I have done. >> >> These worms appear only to attack using the ip address of the server on >> port 80 and not using a name, so at this stage they are not hitting the >> virtual webs, only the default web which has virtual directories with >> execute permissions set. I have all my customers sites running as virtual >> webs and have restricted the default server to just "localhost". The logs >> are growing with the rejection messages but I have relocated them to >> another drive where it won't hurt if it does fill up. Fingers crossed. >> >> Cheers >> >> Rob. >> >> >> At 20:20 18/09/01 -0400, you wrote: >> >On Tue, Sep 18, 2001 at 04:17:58PM -0500, >> >Eric_Stanfield@kenokozie.com thus sprach: >> > >> >> I find it interesting that everyone I've talked to today has >> >> logged the initial nimda attack within 30 seconds of the time you >> >> listed below (after adjusting for timezones). >> > >> >I've seen an accelleration of the attack this evening [EST]. >> > >> >I've had log files just exploiding in size. They are growing at >> >well over 500 lines per minute. We have a small company doing >> >specialized work and we have our own racks in a communications >> >facility. The servers have 100Mbit uplinks into the OC-192 >> >backbone so I'm not going to be limited by pipe width, which also >> >means that I can't get faster too. >> > >> >I've just turned off all logging for web traffic as I didn't want >> >to have the systems fall over for lack of drive space. >> > >> >Just a reminder here to check your log files to make sure something >> >like this doesn't happen to you. >> > >> >Just a file guess but here the nimda traffic is probably about 5 >> >times more than the highest CodeRed days. I'm sure glad I have NO >> >MS machines that I maintain but a client has two in our racks and I >> >called them about 1030 this AM. I wish them luck. >> > >> > >> >-- >> >Bill Vermillion - bv @ wjv . com >> > >> >To Unsubscribe: send mail to majordomo@FreeBSD.org >> >with "unsubscribe freebsd-isp" in the body of the message >> > >> > >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-isp" in the body of the message >> > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Tue Sep 18 18:19:24 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mail.wanlogistics.net (mail.wanlogistics.net [63.209.114.3]) by hub.freebsd.org (Postfix) with ESMTP id 33DCC37B40E for ; Tue, 18 Sep 2001 18:19:17 -0700 (PDT) Received: from bilver.wjv.com (spdsl-033.wanlogistics.net [63.209.115.33]) by mail.wanlogistics.net (8.9.3/8.9.3) with ESMTP id VAA16648; Tue, 18 Sep 2001 21:19:16 -0400 (EDT) (envelope-from bill@wjv.com) Received: (from bill@localhost) by bilver.wjv.com (8.11.6/8.11.1) id f8J1Ikf20392; Tue, 18 Sep 2001 21:18:46 -0400 (EDT) (envelope-from bill) Date: Tue, 18 Sep 2001 21:18:45 -0400 From: Bill Vermillion To: Stephen Hovey Cc: bv@wjv.com, Eric_Stanfield@kenokozie.com, freebsd-isp@FreeBSD.ORG Subject: Re: Code Red?! Message-ID: <20010918211845.D19613@wjv.com> Reply-To: bv@wjv.com References: <20010918202005.B19613@wjv.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from shovey@buffnet.net on Tue, Sep 18, 2001 at 08:34:08PM -0400 Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Sep 18, 2001 at 08:34:08PM -0400, Stephen Hovey thus sprach: > Actually this isnt all bad - alot of my competitors folded or even > promote NT..and will fold... I refuse! FreeBSD is the way man! After about 9 months getting highly frustrated with DOS 2.0 back in 1983 I moved to Unix and have never looked back. And 2.0 performed better then 3.0 when they started adding more cruft, and that trend has never changed. Bill -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Wed Sep 19 7:20:38 2001 Delivered-To: freebsd-isp@freebsd.org Received: from fepC.post.tele.dk (fepC.post.tele.dk [195.41.46.147]) by hub.freebsd.org (Postfix) with ESMTP id 26BB037B40C for ; Wed, 19 Sep 2001 07:20:34 -0700 (PDT) Received: from arnold.neland.dk ([62.243.124.200]) by fepC.post.tele.dk (InterMail vM.4.01.03.21 201-229-121-121-20010307) with ESMTP id <20010919142019.ZTLK10378.fepC.post.tele.dk@arnold.neland.dk> for ; Wed, 19 Sep 2001 16:20:19 +0200 Received: from localhost (localhost [127.0.0.1]) by arnold.neland.dk (8.11.5/8.11.5) with ESMTP id f8JELYO17261 for ; Wed, 19 Sep 2001 16:21:34 +0200 (CEST) (envelope-from leifn@neland.dk) Date: Wed, 19 Sep 2001 16:21:34 +0200 (CEST) From: Leif Neland To: Subject: nimda / readme.eml Message-ID: <20010919161946.T17229-100000@arnold.neland.dk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If you are using a proxyserver, install a redirect-program, which changes requests for "readme.eml" to something else, for instance a warning message saying "The site you are visiting are infected" Leif To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Wed Sep 19 10:17: 6 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mgnmail3.mgn.co.uk (mgn1.mgn.co.uk [195.92.144.201]) by hub.freebsd.org (Postfix) with ESMTP id E6EE337B413 for ; Wed, 19 Sep 2001 10:16:54 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by vodka.tmg-ireland (8.11.5/8.11.5) with ESMTP id f7V9r8g28876; Fri, 31 Aug 2001 10:53:08 +0100 (BST) (envelope-from tony@mgn.co.uk) Date: Fri, 31 Aug 2001 10:53:07 +0100 From: Tony McCrory To: Glen Hollings Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Broken SU In-Reply-To: Message-ID: MIME-Version: 1.0 X-MIMETrack: Itemize by SMTP Server on BELFASTN1/MG_CW(Release 5.07a |May 14, 2001) at 31/08/2001 15:01:23, MIME-CD by Notes Server on LNPRODUCTION1CW/MG_CW(Release 5.0.8 |June 18, 2001) at 19/09/2001 18:15:23, MIME-CD complete at 19/09/2001 18:15:23, Serialize by Router on LNPRODUCTION1CW/MG_CW(Release 5.0.8 |June 18, 2001) at 19/09/2001 18:16:40 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Are you in the wheel goup? Tony On Fri, 31 Aug 2001, Glen Hollings wrote: > > Has anyone ever experenced a broken SU command? > > I cant seem to SU to root when logged in as any 'normal' user.... > > eg > > normuser@bsdbox normuser]$su -m > Password: > > (stalls after this) > > > Or if I put in the wrong password > > normuser@bsdbox normuser]$su -m > Password: > Sorry > > (stalls after this) > > > it does this... > > putting sshd into debug mode doesnt seem to reveal anything of use.. > > > > Here is an strace output of an attempted su: > > $strace su > execve("/usr/bin/su", ["su"], [/* 20 vars */]) = 0 > __sysctl([hw.pagesize], 2, "\0\20\0\0", [4], NULL, 0) = 0 > mmap(0, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = > 0x4005e000 > geteuid(0xbfbffc1c) = 0 > getuid() = 1002 (euid 0) > open("/var/run/ld-elf.so.hints", O_RDONLY) = 3 > read(3, "Ehnt\1\0\0\0\200\0\0\0(\0\0\0\0\0\0\0\'\0\0\0\0\0\0\0\0"..., 128) = > 128 > lseek(3, 128, SEEK_SET) = 128 > read(3, "/usr/lib:/usr/lib/compat:/usr/lo"..., 40) = 40 > close(3) = 0 > access("/usr/lib/libutil.so.3", F_OK) = 0 > open("/usr/lib/libutil.so.3", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0444, st_size=32848, ...}) = 0 > read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0h#\0\000"..., 4096) = > 4096 > mmap(0, 36864, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40066000 > mmap(0x4006e000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, > 0x7000) = 0x4006e000 > close(3) = 0 > access("/usr/lib/libskey.so.2", F_OK) = 0 > open("/usr/lib/libskey.so.2", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0444, st_size=24252, ...}) = 0 > read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0008\23\0"..., 4096) = > 4096 > mmap(0, 28672, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x4006f000 > mmap(0x40073000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, > 0x3000) = 0x40073000 > close(3) = 0 > access("/usr/lib/libmd.so.2", F_OK) = 0 > open("/usr/lib/libmd.so.2", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0444, st_size=34272, ...}) = 0 > read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P\17\0\000"..., 4096) > = 4096 > mmap(0, 36864, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40076000 > mmap(0x4007e000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, > 0x7000) = 0x4007e000 > close(3) = 0 > access("/usr/lib/libcrypt.so.2", F_OK) = 0 > open("/usr/lib/libcrypt.so.2", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0444, st_size=28588, ...}) = 0 > read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\16"..., 4096) = > 4096 > mmap(0, 102400, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x4007f000 > mmap(0x40086000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, > 0x6000) = 0x40086000 > mmap(0x40087000, 69632, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANON, > -1, 0) = 0x40087000 > close(3) = 0 > access("/usr/lib/libc.so.4", F_OK) = 0 > open("/usr/lib/libc.so.4", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0444, st_size=572588, ...}) = 0 > read(3, "\177ELF\1\1\1\t\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\314-\1"..., 4096) = > 4096 > mmap(0, 622592, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40098000 > mmap(0x40118000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, > 0x7f000) = 0x40118000 > mmap(0x4011c000, 81920, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANON, > -1, 0) = 0x4011c000 > close(3) = 0 > access("/usr/lib/libcrypt.so.2", F_OK) = 0 > access("/usr/lib/libmd.so.2", F_OK) = 0 > sigaction(SIGILL, {0x4004f0fc, [], 0}, {SIG_DFL}) = 0 > sigprocmask(SIG_BLOCK, NULL, []) = 0 > sigaction(SIGILL, {SIG_DFL}, NULL) = 0 > sigprocmask(SIG_BLOCK, ~[ILL TRAP ABRT EMT FPE BUS SEGV SYS], []) = 0 > sigprocmask(SIG_SETMASK, [], NULL) = 0 > readlink("/etc/malloc.conf", 0xbfbff6f4, 63) = -1 ENOENT (No such file or > directory) > mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = 0x40130000 > break(0x804d000) = 0 > getpriority(PRIO_PROCESS, 0) = 0 > setpriority(PRIO_PROCESS, 0, -2) = 0 > getuid() = 1002 (euid 0) > getlogin(0x401203f8, 0x11) = 0 > geteuid(0x4011b304) = 0 > break(0x804e000) = 0 > stat("/etc/spwd.db", {st_mode=S_IFREG|0600, st_size=40960, ...}) = 0 > open("/etc/spwd.db", O_RDONLY) = 3 > fcntl(3, F_SETFD, FD_CLOEXEC) = 0 > read(3, "\0\6\25a\0\0\0\2\0\0\4\322\0\0\20\0\0\0\0\f\0\0\1\0\0\0"..., 260) = > 260 > break(0x804f000) = 0 > break(0x8050000) = 0 > break(0x8051000) = 0 > lseek(3, 28672, SEEK_SET) = 28672 > read(3, "\30\0\373\17\302\17\275\17r\17l\17$\17\37\17\344\16\337"..., 4096) = > 4096 > break(0x8052000) = 0 > close(3) = 0 > geteuid(0x4011b304) = 0 > stat("/etc/spwd.db", {st_mode=S_IFREG|0600, st_size=40960, ...}) = 0 > open("/etc/spwd.db", O_RDONLY) = 3 > fcntl(3, F_SETFD, FD_CLOEXEC) = 0 > read(3, "\0\6\25a\0\0\0\2\0\0\4\322\0\0\20\0\0\0\0\f\0\0\1\0\0\0"..., 260) = > 260 > break(0x8053000) = 0 > lseek(3, 24576, SEEK_SET) = 24576 > read(3, "\26\0\373\17\301\17\272\17i\17d\17\23\17\n\17\321\16\314"..., 4096) > = 4096 > close(3) = 0 > geteuid(0x4006e3bc) = 0 > getegid(0x4006e3bc) = 1002 > setegid(0Password: > > > > anyone have any ideas?? please! > > Thanks > > ********************************************** > *Glen Hollings | There Cant Be * > *Network Administrator | a Crisis Today,* > *Global Info Links | my schedule is * > *ghollings@admin.gil.com.au | already full. * > ********************************************** > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > IMPORTANT NOTICE The information in this e-mail is confidential and should only be read by those persons to whom it is addressed and is not intended to be relied upon by any person without subsequent written confirmation of its contents. Furthermore, the content of this e-mail is the personal view of the sender and does not represent the advice, views or opinion of our company. Accordingly, our company disclaim all responsibility and accept no liability (including in negligence) for the consequences of any person acting, or refraining from acting, on such information prior to the receipt by those persons of subsequent written confirmation. In particular (but not by way of limitation) our company disclaims all responsibility and accepts no liability for any e-mails which are defamatory, offensive, racist or in any other way are in breach of any third party's rights, including breach of confidence, privacy or other rights. If you have received this e-mail message in error, please notify me immediately by telephone. Please also destroy and delete the message from your computer. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this e-mail message is strictly prohibited. Trinity Mirror plc is the holding company for the Trinity Mirror group of companies and is registered in England No. 82548, with its address at Kingsfield Court, Chester Business Park, Chester CH4 9RE. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Wed Sep 19 10:37:40 2001 Delivered-To: freebsd-isp@freebsd.org Received: from zen.estpak.ee (zen.estpak.ee [194.126.101.100]) by hub.freebsd.org (Postfix) with ESMTP id 0104237B401 for ; Wed, 19 Sep 2001 10:37:38 -0700 (PDT) Received: from localhost (rix.estpak.ee [194.126.115.45]) by zen.estpak.ee (Postfix) with ESMTP id E794A39B096; Wed, 19 Sep 2001 19:37:36 +0200 (EET) Date: Wed, 19 Sep 2001 19:37:49 +0200 (EET) Message-Id: <20010919.193749.33975611.rix@estpak.ee> To: tony@mgn.co.uk Cc: GHollings@admin.gil.com.au, freebsd-isp@FreeBSD.ORG Subject: Re: Broken SU From: rivo nurges In-Reply-To: References: X-Mailer: Mew version 2.0.54 on Emacs 20.7 / Mule 4.0 (HANANOEN) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From: Tony McCrory Subject: Re: Broken SU Date: Fri, 31 Aug 2001 10:53:07 +0100 > > Are you in the wheel goup? problem is with syslogd, restart syslogd and everything have to be OK -- rix http://www.ripe.net/cgi-bin/whois?rix@estpak.ee To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Wed Sep 19 17:54:52 2001 Delivered-To: freebsd-isp@freebsd.org Received: from joshua.site-fx.net (h24-78-60-149.vc.shawcable.net [24.78.60.149]) by hub.freebsd.org (Postfix) with ESMTP id 0DA6737B408 for ; Wed, 19 Sep 2001 17:54:47 -0700 (PDT) Received: from localhost (kissyfur.site-fx.net [192.168.0.2]) by joshua.site-fx.net (8.11.4/8.11.4) with ESMTP id f8K0sPR24494 for ; Wed, 19 Sep 2001 17:54:41 -0700 (PDT) Message-Id: <200109200054.f8K0sPR24494@joshua.site-fx.net> Date: Wed, 19 Sep 2001 17:51:02 -0700 Content-Type: text/plain; format=flowed; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v388) From: james@site-fx.net To: freebsd-isp@freebsd.org X-Mailer: Apple Mail (2.388) Content-Transfer-Encoding: 7bit Subject: Virtual Domain Hosting Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey People, I have a question regarding virtual domain hosting. I would like to offer users the ability to build their own sendmail.cf file and add their own domain alias, and give them the ability to modify their own httpd.conf files. What is the best way to go about implementing virtual servers within the new freebsd system. Jail looks like what I want but I don't have a clue how to properly implement it. - James To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Wed Sep 19 19:17:28 2001 Delivered-To: freebsd-isp@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id EA43C37B422 for ; Wed, 19 Sep 2001 19:17:22 -0700 (PDT) Received: (qmail 87314 invoked from network); 20 Sep 2001 02:16:59 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 20 Sep 2001 02:16:59 -0000 Message-ID: <001101c1417a$664d6bd0$0100a8c0@alexus> From: "alexus" To: , References: <200109200054.f8K0sPR24494@joshua.site-fx.net> Subject: Re: Virtual Domain Hosting Date: Wed, 19 Sep 2001 22:17:27 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i'd say use jail.. this gives user to have his/her own machine root and etc etc etc ----- Original Message ----- From: To: Sent: Wednesday, September 19, 2001 8:51 PM Subject: Virtual Domain Hosting > Hey People, > > I have a question regarding virtual domain hosting. I would like to > offer users the ability to build their own sendmail.cf file and add > their own domain alias, and give them the ability to modify their own > httpd.conf files. What is the best way to go about implementing virtual > servers within the new freebsd system. Jail looks like what I want but > I don't have a clue how to properly implement it. > > - James > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Wed Sep 19 20: 6:20 2001 Delivered-To: freebsd-isp@freebsd.org Received: from pendragon.tacni.net (mail.tacni.net [216.178.136.165]) by hub.freebsd.org (Postfix) with SMTP id 73D0037B4CF for ; Wed, 19 Sep 2001 20:06:10 -0700 (PDT) Received: (qmail 94963 invoked by alias); 20 Sep 2001 03:06:09 -0000 Received: from unknown (HELO tacni.com) (216.201.173.186) by pendragon.tacni.net with SMTP; 20 Sep 2001 03:06:09 -0000 Message-ID: <3BA95D24.B5B737B9@tacni.com> Date: Wed, 19 Sep 2001 22:06:12 -0500 From: Tom ONeil Organization: Texas American Communications Network Inc. X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Free Subject: EMERGENCY - Arp attack? Am I being DOS'd ? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Network guy on vacation, pls help if you can. Having major problems w/ my router getting overloaded. See below - BTW - gw is my router. # tcpdump -p | grep " arp " tcpdump: listening on rl0 22:04:43.323267 arp who-has 216.178.158.211 tell router-216-178-158-1.tacni.net 22:04:43.398803 arp who-has 209.251.183.1 (Broadcast) tell 209.251.183.12 22:04:43.473615 arp who-has 216-178-189-15.tacni.net tell router-216-178-189-1.tacni.net 22:04:43.623222 arp who-has 216.178.155.95 tell gw 22:04:43.636589 arp who-has 216.178.188.168 tell gw 22:04:43.679175 arp who-has 216.178.136.88 tell gw 22:04:43.684980 arp who-has 216.178.135.108 tell gw 22:04:43.758496 arp who-has 209.251.183.42 tell gw 22:04:43.793178 arp who-has 216.178.155.158 tell gw 22:04:43.832945 arp who-has 216-178-189-22.tacni.net tell router-216-178-189-1.tacni.net 22:04:43.947669 arp who-has 216.178.155.26 tell gw 22:04:43.989166 arp who-has 209.251.183.163 tell gw 22:04:44.102455 arp who-has 209.251.183.1 tell 209.251.183.225 22:04:44.279331 arp who-has 216.178.155.78 tell gw 22:04:44.391065 arp who-has 209.251.183.1 (Broadcast) tell 209.251.183.12 22:04:44.666819 arp who-has 216.178.135.202 tell gw 22:04:44.824443 arp who-has 216.178.155.92 tell gw 22:04:44.977537 arp who-has 216.178.154.141 tell gw 22:04:45.070651 arp who-has 216.178.136.2 tell gw 22:04:45.116522 arp who-has 216.178.156.42 tell gw 22:04:45.116901 arp who-has 209.251.183.1 tell 209.251.183.225 22:04:45.296852 arp who-has 216.178.135.31 tell gw 22:04:45.391056 arp who-has 209.251.183.1 (Broadcast) tell 209.251.183.12 22:04:45.558506 arp who-has 216.178.188.1 tell 216.178.188.14 -- Thomas J. ONeil tom.oneil@tacni.com http://www.tacni.net "National Power, Local Presence" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Wed Sep 19 20:19: 0 2001 Delivered-To: freebsd-isp@freebsd.org Received: from cx175057-a.ocnsd1.sdca.home.com (cx175057-a.ocnsd1.sdca.home.com [24.13.23.40]) by hub.freebsd.org (Postfix) with ESMTP id F01EE37B414; Wed, 19 Sep 2001 20:18:50 -0700 (PDT) Received: from localhost (bri@localhost) by cx175057-a.ocnsd1.sdca.home.com (8.11.6/8.11.3) with ESMTP id f8K3Ik110903; Wed, 19 Sep 2001 20:18:47 -0700 (PDT) (envelope-from bri@sonicboom.org) Date: Wed, 19 Sep 2001 20:18:46 -0700 (PDT) From: Brian Whalen X-X-Sender: To: Tom ONeil Cc: Free , Subject: Re: EMERGENCY - Arp attack? Am I being DOS'd ? In-Reply-To: <3BA95D24.B5B737B9@tacni.com> Message-ID: <20010919201741.Q10874-100000@cx175057-a.ocnsd1.sdca.home.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org u r about to become the network guy, this is a classic symptom of a very widespread attack going on now. See www.cert.org for example. Brian "Sonic" Whalen Success = Preparation + Opportunity On Wed, 19 Sep 2001, Tom ONeil wrote: > > Network guy on vacation, pls help if you can. > Having major problems w/ my router getting overloaded. > > See below - BTW - gw is my router. > > # tcpdump -p | grep " arp " > tcpdump: listening on rl0 > 22:04:43.323267 arp who-has 216.178.158.211 tell > router-216-178-158-1.tacni.net > 22:04:43.398803 arp who-has 209.251.183.1 (Broadcast) tell > 209.251.183.12 > 22:04:43.473615 arp who-has 216-178-189-15.tacni.net tell > router-216-178-189-1.tacni.net > 22:04:43.623222 arp who-has 216.178.155.95 tell gw > 22:04:43.636589 arp who-has 216.178.188.168 tell gw > 22:04:43.679175 arp who-has 216.178.136.88 tell gw > 22:04:43.684980 arp who-has 216.178.135.108 tell gw > 22:04:43.758496 arp who-has 209.251.183.42 tell gw > 22:04:43.793178 arp who-has 216.178.155.158 tell gw > 22:04:43.832945 arp who-has 216-178-189-22.tacni.net tell > router-216-178-189-1.tacni.net > 22:04:43.947669 arp who-has 216.178.155.26 tell gw > 22:04:43.989166 arp who-has 209.251.183.163 tell gw > 22:04:44.102455 arp who-has 209.251.183.1 tell 209.251.183.225 > 22:04:44.279331 arp who-has 216.178.155.78 tell gw > 22:04:44.391065 arp who-has 209.251.183.1 (Broadcast) tell > 209.251.183.12 > 22:04:44.666819 arp who-has 216.178.135.202 tell gw > 22:04:44.824443 arp who-has 216.178.155.92 tell gw > 22:04:44.977537 arp who-has 216.178.154.141 tell gw > 22:04:45.070651 arp who-has 216.178.136.2 tell gw > 22:04:45.116522 arp who-has 216.178.156.42 tell gw > 22:04:45.116901 arp who-has 209.251.183.1 tell 209.251.183.225 > 22:04:45.296852 arp who-has 216.178.135.31 tell gw > 22:04:45.391056 arp who-has 209.251.183.1 (Broadcast) tell > 209.251.183.12 > 22:04:45.558506 arp who-has 216.178.188.1 tell 216.178.188.14 > > > > > -- > Thomas J. ONeil tom.oneil@tacni.com > http://www.tacni.net > "National Power, Local Presence" > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Thu Sep 20 6:30: 3 2001 Delivered-To: freebsd-isp@freebsd.org Received: from tsunami.acidpit.org (tsunami.acidpit.org [206.190.163.234]) by hub.freebsd.org (Postfix) with ESMTP id D72A437B416 for ; Thu, 20 Sep 2001 06:29:52 -0700 (PDT) Received: (from rch@localhost) by tsunami.acidpit.org (8.11.3/8.11.3) id f8KDTpr88380 for freebsd-isp@freebsd.org; Thu, 20 Sep 2001 09:29:51 -0400 (EDT) (envelope-from rch@acidpit.org) Date: Thu, 20 Sep 2001 09:29:51 -0400 From: Robert Hough To: freebsd-isp@freebsd.org Subject: Re: nimda / readme.eml Message-ID: <20010920092951.A88361@acidpit.org> Mail-Followup-To: freebsd-isp@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is anyone using Apache's SetEnvIf to block these nimda requests from being logged? I've been playing with it, but can't seem to it working right. I don't care about the request themselves, just tired of it filling up our log files. -- Robert Hough (rch@acidpit.org) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Thu Sep 20 11: 6:42 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 29DE737B405 for ; Thu, 20 Sep 2001 11:06:37 -0700 (PDT) Received: from hades.hell.gr (patr530-b027.otenet.gr [195.167.121.155]) by mailsrv.otenet.gr (8.11.5/8.11.5) with ESMTP id f8KI6VS25207; Thu, 20 Sep 2001 21:06:32 +0300 (EEST) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id f8KHlBB23628; Thu, 20 Sep 2001 20:47:11 +0300 (EEST) (envelope-from charon@labs.gr) Date: Thu, 20 Sep 2001 20:47:10 +0300 From: Giorgos Keramidas To: Rob Secombe Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Code Red?! Message-ID: <20010920204710.B23424@hades.hell.gr> References: <3.0.5.32.20010919104530.00795ca0@secombe> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="envbJBWh7q8WU6mo" Content-Disposition: inline In-Reply-To: <3.0.5.32.20010919104530.00795ca0@secombe> User-Agent: Mutt/1.3.22.1i X-GPG-Fingerprint: DB89 935F 85FC B995 91CA 4AEA 9F1D F31A C6B2 F5FC X-URL: http://labs.gr/~charon/ Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --envbJBWh7q8WU6mo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Rob Secombe wrote: >=20 > These worms appear only to attack using the ip address of the server on > port 80 and not using a name, so at this stage they are not hitting the > virtual webs, ... No, using smbclient to browse infected hosts that ``attacked'' my dialup FreeBSD at home, I discovered nimda traces in virtual directories too. - giorgos --envbJBWh7q8WU6mo Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) iD8DBQE7qiuenx3zGsay9fwRAks2AJ9iaTMnosdpSX6rLGmHfot38SxWiQCgzkLq j9tBolgNa1RlUqe8yns6ZZE= =eIDB -----END PGP SIGNATURE----- --envbJBWh7q8WU6mo-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Thu Sep 20 11: 6:49 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 195F337B40B for ; Thu, 20 Sep 2001 11:06:42 -0700 (PDT) Received: from hades.hell.gr (patr530-b027.otenet.gr [195.167.121.155]) by mailsrv.otenet.gr (8.11.5/8.11.5) with ESMTP id f8KI6bS25328; Thu, 20 Sep 2001 21:06:37 +0300 (EEST) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id f8KHdBr23542; Thu, 20 Sep 2001 20:39:11 +0300 (EEST) (envelope-from charon@labs.gr) Date: Thu, 20 Sep 2001 20:39:11 +0300 From: Giorgos Keramidas To: "Gary D. Margiotta" Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Code Red?! Message-ID: <20010920203911.A23424@hades.hell.gr> References: <3.0.6.32.20010918131041.41301100@mail.seidata.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.22.1i X-GPG-Fingerprint: DB89 935F 85FC B995 91CA 4AEA 9F1D F31A C6B2 F5FC X-URL: http://labs.gr/~charon/ Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Gary D. Margiotta wrote: > > In addition, we just got word from one of our offices that there is > another happy joy M$ Outlook-based e-mail attachement worm which goes > through the address book, spams everyone in it and shares out the C: drive > for unrestricted sharing. True. Going through apache logs, I could find the IP addresses of a few Windows 98 machines, many Windows NT workstation/server machines, and several Windows 2000 boxes too. Having only recently installed Samba for accessing the files on a Windows box, I tried a few of them with: % smbclient //ip.addr.of.host/c\$ -N A surprisingly large number of these machines allowed me in. At least half of them had recently modified files in either C:\Inetpub\wwwroot or (depending on actual installation of IIS) on D:\Inetpub\wwwroot -- read ``recently modified'' as ``recently defaced sites''. Four of them had cdroms with backups still mounted on one of their drives. Blech. Am appaled to find out how many of the sites that `attack' my box have already been victims of kiddies who are turning this new Windows trojan in a deface-the-world party. - giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Thu Sep 20 15: 7:27 2001 Delivered-To: freebsd-isp@freebsd.org Received: from cx175057-a.ocnsd1.sdca.home.com (cx175057-a.ocnsd1.sdca.home.com [24.13.23.40]) by hub.freebsd.org (Postfix) with ESMTP id 9796737B41B for ; Thu, 20 Sep 2001 15:07:23 -0700 (PDT) Received: from localhost (bri@localhost) by cx175057-a.ocnsd1.sdca.home.com (8.11.6/8.11.3) with ESMTP id f8KM7Nr14441 for ; Thu, 20 Sep 2001 15:07:23 -0700 (PDT) (envelope-from bri@sonicboom.org) Date: Thu, 20 Sep 2001 15:07:22 -0700 (PDT) From: Brian Whalen X-X-Sender: To: Subject: weird dns problem Message-ID: <20010920150631.T14298-100000@cx175057-a.ocnsd1.sdca.home.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Any of you know why this would occur?? If I nslookup domainname authorative-name-server, I get the root servers back, its complete failure. yet if I use it interactively nslookup enter server authorative-name-server enter domainname it works.. > nslookup sonicboom.org sol.earthlink.net Authoritative answers can be found from: (root) nameserver = A.ROOT-SERVERS.NET (root) nameserver = H.ROOT-SERVERS.NET (root) nameserver = C.ROOT-SERVERS.NET (root) nameserver = G.ROOT-SERVERS.NET (root) nameserver = F.ROOT-SERVERS.NET (root) nameserver = B.ROOT-SERVERS.NET (root) nameserver = J.ROOT-SERVERS.NET (root) nameserver = K.ROOT-SERVERS.NET (root) nameserver = L.ROOT-SERVERS.NET (root) nameserver = M.ROOT-SERVERS.NET (root) nameserver = I.ROOT-SERVERS.NET (root) nameserver = E.ROOT-SERVERS.NET (root) nameserver = D.ROOT-SERVERS.NET A.ROOT-SERVERS.NET internet address = 198.41.0.4 H.ROOT-SERVERS.NET internet address = 128.63.2.53 C.ROOT-SERVERS.NET internet address = 192.33.4.12 G.ROOT-SERVERS.NET internet address = 192.112.36.4 F.ROOT-SERVERS.NET internet address = 192.5.5.241 B.ROOT-SERVERS.NET internet address = 128.9.0.107 J.ROOT-SERVERS.NET internet address = 198.41.0.10 K.ROOT-SERVERS.NET internet address = 193.0.14.129 L.ROOT-SERVERS.NET internet address = 198.32.64.12 M.ROOT-SERVERS.NET internet address = 202.12.27.33 I.ROOT-SERVERS.NET internet address = 192.36.148.17 E.ROOT-SERVERS.NET internet address = 192.203.230.10 D.ROOT-SERVERS.NET internet address = 128.8.10.90 *** Can't find server name for address 207.69.188.192: No information *** Default servers are not available > nslookup Default Server: proxy2.rdc1.sdca.home.com Address: 24.0.3.34 > server sol.earthlink.net Default Server: sol.earthlink.net Address: 207.69.188.192 > sonicboom.org. Server: sol.earthlink.net Address: 207.69.188.192 Name: sonicboom.org Address: 24.13.23.40 Brian "Sonic" Whalen Success = Preparation + Opportunity To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Thu Sep 20 15:41:48 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mgw1.MEIway.com (mgw1.meiway.com [212.73.210.75]) by hub.freebsd.org (Postfix) with ESMTP id B395C37B409 for ; Thu, 20 Sep 2001 15:41:43 -0700 (PDT) Received: from mail.Go2France.com (ms1.meiway.com [212.73.210.73]) by mgw1.MEIway.com (Postfix Relay Hub) with ESMTP id 61EC516B13 for ; Fri, 21 Sep 2001 00:41:40 +0200 (CEST) Received: from IBM-HIRXKN66F0W.Go2France.com [66.64.14.18] by mail.Go2France.com with ESMTP (SMTPD32-6.06) id A356FF028A; Fri, 21 Sep 2001 00:53:10 +0200 Message-Id: <5.1.0.14.0.20010920173240.03a4aec8@mail.Go2France.com> X-Sender: LConrad@Go2France.com@mail.Go2France.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 20 Sep 2001 17:41:10 -0500 To: freebsd-isp@freebsd.org From: Len Conrad Subject: Re: weird dns problem In-Reply-To: <20010920150631.T14298-100000@cx175057-a.ocnsd1.sdca.home.c om> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >If I nslookup domainname authorative-name-server, I get the root servers >back, its complete failure. the root-servers.net + their ip addresses is called a "referral", while what you were looking for was an "answer". don't use nslookup, use dig: # dig @sol.earthlink.net sonicboom.org ; <<>> DiG 8.3 <<>> @sol.earthlink.net sonicboom.org ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUERY SECTION: ;; sonicboom.org, type = A, class = IN ;; ANSWER SECTION: sonicboom.org. 36M IN A 24.13.23.40 ;; AUTHORITY SECTION: sonicboom.org. 36M IN NS ns.gecko.org. sonicboom.org. 36M IN NS ns1.noc.netcom.net. sonicboom.org. 36M IN NS ns2.noc.netcom.net. ;; ADDITIONAL SECTION: ns.gecko.org. 12H IN A 199.174.211.75 ns1.noc.netcom.net. 3h1s IN A 204.31.1.1 ns2.noc.netcom.net. 3h1s IN A 199.183.9.2 >yet if I use it interactively >nslookup >enter >server authorative-name-server >enter >domainname > >it works.. > > > nslookup sonicboom.org sol.earthlink.net >Authoritative answers can be found from: >(root) nameserver = A.ROOT-SERVERS.NET >(root) nameserver = H.ROOT-SERVERS.NET >(root) nameserver = C.ROOT-SERVERS.NET >(root) nameserver = G.ROOT-SERVERS.NET >(root) nameserver = F.ROOT-SERVERS.NET >(root) nameserver = B.ROOT-SERVERS.NET >(root) nameserver = J.ROOT-SERVERS.NET >(root) nameserver = K.ROOT-SERVERS.NET >(root) nameserver = L.ROOT-SERVERS.NET >(root) nameserver = M.ROOT-SERVERS.NET >(root) nameserver = I.ROOT-SERVERS.NET >(root) nameserver = E.ROOT-SERVERS.NET >(root) nameserver = D.ROOT-SERVERS.NET >A.ROOT-SERVERS.NET internet address = 198.41.0.4 >H.ROOT-SERVERS.NET internet address = 128.63.2.53 >C.ROOT-SERVERS.NET internet address = 192.33.4.12 >G.ROOT-SERVERS.NET internet address = 192.112.36.4 >F.ROOT-SERVERS.NET internet address = 192.5.5.241 >B.ROOT-SERVERS.NET internet address = 128.9.0.107 >J.ROOT-SERVERS.NET internet address = 198.41.0.10 >K.ROOT-SERVERS.NET internet address = 193.0.14.129 >L.ROOT-SERVERS.NET internet address = 198.32.64.12 >M.ROOT-SERVERS.NET internet address = 202.12.27.33 >I.ROOT-SERVERS.NET internet address = 192.36.148.17 >E.ROOT-SERVERS.NET internet address = 192.203.230.10 >D.ROOT-SERVERS.NET internet address = 128.8.10.90 >*** Can't find server name for address 207.69.188.192: No information >*** Default servers are not available you have to read what comes back, obviously you missed the preceding. # dig -x 207.69.188.192 ; <<>> DiG 8.3 <<>> -x ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUERY SECTION: ;; 192.188.69.207.in-addr.arpa, type = ANY, class = IN ;; ANSWER SECTION: 192.188.69.207.in-addr.arpa. 1H IN PTR sol.earthlink.net. ... but the answer had very long delay for me, so probably your nslookup timed out waiting for the PTR answer. nslookup requires the NS queired to have a ptr, a stupid requirement. use dig. your problem is a false one, yet again, thanks to nslookup Len http://MenAndMice.com/DNS-training http://BIND8NT.MEIway.com : ISC BIND 8.2.4 for NT4 & W2K http://IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Thu Sep 20 16:49:32 2001 Delivered-To: freebsd-isp@freebsd.org Received: from fepF.post.tele.dk (fepF.post.tele.dk [195.41.46.135]) by hub.freebsd.org (Postfix) with ESMTP id 59C7B37B408 for ; Thu, 20 Sep 2001 16:49:29 -0700 (PDT) Received: from arnold.neland.dk ([62.243.124.200]) by fepF.post.tele.dk (InterMail vM.4.01.03.21 201-229-121-121-20010307) with ESMTP id <20010920234927.TOYH2356.fepF.post.tele.dk@arnold.neland.dk> for ; Fri, 21 Sep 2001 01:49:27 +0200 Received: from gina ([192.168.5.109]) by arnold.neland.dk (8.11.5/8.11.5) with SMTP id f8KNpYO63586 for ; Fri, 21 Sep 2001 01:51:36 +0200 (CEST) (envelope-from leifn@neland.dk) Message-ID: <012101c1422e$c0aa4e40$6d05a8c0@neland.dk> From: "Leif Neland" To: Subject: ip-adress -> abuse-adress Date: Fri, 21 Sep 2001 01:35:20 +0200 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org whois.abuse.net can give emailadresses of the abuse-department of a domain. As many "forget" to make reverse mapping of ip-adresses, has somebody made a script, which can "trace" an ip-number to the netblock owner, using either ripe, arin or what ever whois is needed? Leif I wish I had content which was interesting and unique enough to make blocking it for ip's without proper reverse mapping have an impact... --- http://members.ud.com/services/teams/team.htm?id=C47FB770-0A0A-452B-88 51-874646C2B375 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Thu Sep 20 17:46:11 2001 Delivered-To: freebsd-isp@freebsd.org Received: from smtp017.mail.yahoo.com (smtp017.mail.yahoo.com [216.136.174.114]) by hub.freebsd.org (Postfix) with SMTP id 3B7AD37B41A for ; Thu, 20 Sep 2001 17:46:02 -0700 (PDT) Received: from unknown (HELO nightcrawler) (206.49.81.18) by smtp.mail.vip.sc5.yahoo.com with SMTP; 21 Sep 2001 00:44:13 -0000 X-Apparently-From: Message-ID: <00c301c14237$b00c11a0$125131ce@wavephil.com> From: "Jun Favoreal" To: Cc: Subject: so many TIME_WAIT, FIN_WAIT_1, FIN_WAIT_2 Date: Fri, 21 Sep 2001 08:52:27 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, This is my setup. I have a transparent proxy server running SQUID2.4-STABLE2 on a FreeBSD box running 4.3-RELEASE. As any transparent proxy out there, HTTP requests are intercepted by our primary router and redirected to the FreeBSD box and the FreeBSD box hijacks it and makes the HTTP connection in behalf of the hijacked HTTP request. Everything is working just fine. But, just one observation from the FreeBSD box if you do a # netstat -an I see so many tcp socket connections in either FIN_WAIT_1, FIN_WAIT_2, or TIME_WAIT status. tcp4 0 0 199.172.146.99.80 202.58.248.20.3108 FIN_WAIT_1 tcp4 0 0 64.4.13.171.80 202.58.248.20.3106 FIN_WAIT_2 tcp4 0 0 206.49.81.19.24737 207.25.71.212.80 TIME_WAIT tcp4 0 0 64.38.209.154.80 202.58.248.20.3099 FIN_WAIT_2 tcp4 0 0 216.136.172.223.80 202.58.253.254.3894 TIME_WAIT tcp4 0 0 64.38.209.154.80 202.58.248.20.3095 FIN_WAIT_2 tcp4 0 0 216.115.106.35.80 202.58.248.20.3092 FIN_WAIT_2 tcp4 0 0 216.136.173.152.80 202.58.247.204.3265 TIME_WAIT tcp4 0 0 216.136.173.152.80 202.58.247.204.3263 TIME_WAIT tcp4 0 0 207.68.177.124.80 202.58.248.20.3090 FIN_WAIT_2 tcp4 0 0 64.58.76.229.80 202.58.247.211.1400 TIME_WAIT tcp4 0 0 209.85.3.8.80 202.58.248.20.3088 FIN_WAIT_2 Previously I have setup 2 other transparent proxy servers running FreeBSD 3.3-RELEASE and I see the same thing. Once its there, it stays there and each day its number grows. So what I do from time to time is to shutdown the FreeBSD box and boot it again just to remove these things and start over with a clean slate. I have also tried some tweaking in SQUID, most of them decreasing the timeout values like connect_timeout, read_timeout, request_timeout, pconn_timeout, and client_lifetime. Anyone out there who had this problem before ??? Thank you in advance. -- _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Fri Sep 21 5:22:26 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mailin5.bigpond.com (juicer02.bigpond.com [139.134.6.78]) by hub.freebsd.org (Postfix) with ESMTP id BF24C37B41B for ; Fri, 21 Sep 2001 05:22:06 -0700 (PDT) Received: from home ([144.135.24.78]) by mailin5.bigpond.com (Netscape Messaging Server 4.15) with SMTP id GK0IN500.DRW; Fri, 21 Sep 2001 22:28:17 +1000 Received: from CPE-61-9-139-246.vic.bigpond.net.au ([61.9.139.246]) by bwmam04.mailsvc.email.bigpond.com(MailRouter V2.9j 8329/897533); 21 Sep 2001 22:28:17 Reply-To: From: "Arkadi Kosmynin" To: Subject: New software - hope can help reduce external traffic Date: Fri, 21 Sep 2001 22:18:41 +1000 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, We are looking for a few ISPs or news providers who would be willing to start using it ASAP and whom we would support very closely (including free remote installation and configuration if required) and make sure that the software works for them and they are happy. The software (OzWay) is a News2Web gateway with an easy to use WYSIWYG interface. It displays thumbnails of images attached to articles, to give people a chance to choose what they want to download BEFORE they start downloading. OzWay works as a client to a news server and will not interfere with server normal operations. It is designed to make the Usenet easy and attractive to users, help you switch at least some of your "binary fans" from your external Web link to your news server, thus, saving external bandwidth, making the Web faster for other people and improving return on the investment into your news server. The gateway is stable under internal testing, including stress tests, but, obviously, we are not able to put it under a normal operating load. It would be very useful to get your feedback as well as that of your users, if possible. It is very, very simple to install (and uninstall :-) - just unpack to a directory. Available in a Win32, RedHat or FreeBSD version. Hardware requirements are very modest: a PC with 500+Mhz CPU, 128Mb+ RAM and min. 5-10Mb of hard drive space. A fast connection (LAN recommended) to a news server is important. The amount of used hard drive space depends on how much caching is used. If reducing load on the news server and/or minimizing traffic between the server and the gateway is important, a few gigs should be given to the cache. It is an exciting new product that will be of interest to any ISP or news provider. It is very similar to our earlier release, AnsWay Pro (see http://www.ozinsight.com/webGate/). The difference is that this one works with any NNTP compliant news server and has a built in cache. Also, we are adding an NNTP interface as well, so, it is going to be an integral solution: a Web gateway with thumbnails, and a news cache emulating a news server. It serves all this up on very nice looking WYSIWYG Web pages to your customers. As a bonus, those willing to pioneer OzWay will get free licenses when the final product is released. If you are interested please send me an email. If you want to try it working (as an end user), I can give you access details of our demo server. Regards, Arkadi. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Fri Sep 21 14:53:38 2001 Delivered-To: freebsd-isp@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id A397937B40E for ; Fri, 21 Sep 2001 14:53:33 -0700 (PDT) Received: (qmail 8667 invoked from network); 21 Sep 2001 21:52:55 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 21 Sep 2001 21:52:55 -0000 Message-ID: <002701c142e7$d941eee0$0d00a8c0@alexus> From: "alexus" To: Subject: Courier IMAP 1.3.1 won't compile Date: Fri, 21 Sep 2001 17:53:29 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i'm using qmail vpopmail 4.9.10 and i'm tryin to compile couier imap and i end up with this error Making all in authlib gmake[1]: Entering directory `/usr/local/src/courier-imap-1.3.11/authlib' gcc -DHAVE_CONFIG_H -I. -I. -I. -I/var/qmail/vpopmail/include -g -O2 -Wa ll -I.. -I./.. -c authvchkpw.c authvchkpw.c: In function `auth_vchkpw_changepass': authvchkpw.c:142: warning: assignment from incompatible pointer type authvchkpw.c:151: dereferencing pointer to incomplete type authvchkpw.c:151: dereferencing pointer to incomplete type gmake[1]: *** [authvchkpw.o] Error 1 gmake[1]: Leaving directory `/usr/local/src/courier-imap-1.3.11/authlib' gmake: *** [all-recursive] Error 1 su-2.05# can someone please help? thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Fri Sep 21 16: 3:35 2001 Delivered-To: freebsd-isp@freebsd.org Received: from TheWorld.com (pcls4.std.com [199.172.62.106]) by hub.freebsd.org (Postfix) with ESMTP id DEF9237B41A for ; Fri, 21 Sep 2001 16:03:15 -0700 (PDT) Received: from world.std.com (world-f.std.com [199.172.62.5]) by TheWorld.com (8.9.3/8.9.3) with ESMTP id TAA20457 for ; Fri, 21 Sep 2001 19:03:14 -0400 Received: (from kwc@localhost) by world.std.com (8.9.3/8.9.3) id TAA11994; Fri, 21 Sep 2001 19:03:11 -0400 (EDT) Date: Fri, 21 Sep 2001 19:03:11 -0400 (EDT) From: Kenneth W Cochran Message-Id: <200109212303.TAA11994@world.std.com> To: freebsd-isp@freebsd.org Subject: Apache/webhosting user/group security/config Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello: I'm trying to set up a webhosting server and have some questions about "properly secured" Apache configuration. I've been digging through books, security/apache-related websites, and FreeBSD mail & pr archives & so far, cannot find answers to my "situation." Especially, I haven't found clear (to me) explanation/recommendations for owner/group/permissions of Web-*content* directories. Background/current configuration: OS is FreeBSD 4.4-stable, recently cvsup'ed/built/running. Web content is to be in its own filesystem(s), outside of any of the "system" directories (for example, outside of /usr and /var). The default installation of the apache port (1.3.20) operates httpd as user/group "nobody/nogroup" and the default apache+ssl port configuration runs httpd as user/group "nobody/nobody." Question: How "sane" is this user/group? For example, very knowlegable people with whom I've spoken and books and other resources I've researched indicate that "nobody" is probably not very good, as it is already "taken" by nfs. I'm considering a send-pr, requesting this for review/change. So, what would be a good alternative? For example, "bind" was added as a user/group sometime back in support of boxing named, so, in keeping with that "tradition/convention," maybe "apache?" www - sounds good, & in common use in Linux, but I was thinking more of "www" as a group (to me, it "fits better" in that namespace :). httpd - good, too, but might confuse reports, distinguishing between the running daemon & its owner. Also, what would be a good UID/GID number? Bind is using 53 for both UID & GID, apparently using that service's port-number. So, maybe 80 for the webserver UID & GID? I need & plan to enable suEXEC & need to make sure that is "sane and proper." :) For examples: What should I use for suEXEC's document-root directory? What should suEXEC's caller-UID be? (default: www) What other suEXEC configuration options should I consider? For example, if I make a UID/GID of 80 for suexec and set its minimum at, say, 1000 (its default is 100 anyway), will that not allow suexec to operate? Here are some (more specific) things with which I'm having misgivings: I'm being asked to create a user & group of "www" and to run httpd as this user & group. Currently, this is nobody/nogroup, and as I mentioned above, this should probably indeed be changed. Additionally, I'm being asked to add "www" to the allowed/invited groups of a hosted user (in /etc/groups). I'm told (& I agree) that this should be unnecessary. I've tried to explain that these are bad ideas/practices but so far, I haven't been able to adequately explain that to the requesting parties. Can someone help me with a "good explanation" of why these are Bad Ideas (if indeed, they are bad, of course)? Citable sources would be Most Appreciated, too. :) I'd also appreciate pointers to other places (ie. mailing-lists) to ask if this is not "best/appropriate." :) For exampke, would -security be a good place to ask? Please cc me replies. Many thanks, -kc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Fri Sep 21 21:58:33 2001 Delivered-To: freebsd-isp@freebsd.org Received: from mail2out.giga.net.tw (mail2out.giga.net.tw [203.133.1.11]) by hub.freebsd.org (Postfix) with ESMTP id 51FC337B40F for ; Fri, 21 Sep 2001 21:58:26 -0700 (PDT) Received: from index (u24-164.u203-203.giga.net.tw [203.203.24.164]) by mail2out.giga.net.tw (Postfix) with SMTP id 7943A147F6 for ; Sat, 22 Sep 2001 12:58:22 +0800 (CST) To: From: gd168@24k.com.tw Subject: 環保雷射碳粉匣專題研究報告 Date: 星期六, 22 九月 2001 12:56:26 +0800 Message-Id: <37156.539200462963200.154431@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=big5 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org 受文者:呈 國立台灣大學暨所屬行政學術研究單位/       全國各級機關團體/公司行號/公會或個人 請鑒核! 發文者:企龍辦公用品有限公司 電話:(02)2701-2000 主 旨:使用〔環保雷射碳粉匣〕之優點及採購要點。 說 明:環保雷射碳粉匣之專題研究報告 (一)前言      近年來,由於各項相關技術成熟,配合半導體產業篷勃發展    使得雷射印表機價格大幅下滑,各廠商無不壓低價格,以擴大市    場佔有率,再以後續的耗材賺回其利潤,您花在碳粉匣的費用,    長期而言實在是一筆可觀的支出。         〔使用環保雷射碳粉匣之三大理由〕      (1)技術上已突破:有鑑於碳粉匣和墨水匣需求量不斷成長,    國人五年前開始著手,針對雷射印表機電子寫真技術及碳粉感光    體,進行相關研發工作,研發小組成員皆為博碩士學歷,研發小    組成員針對各大廠牌機器精密結構,已有深度了解,掌握許多相    關技術,對碳粉匣的材料及製程參數有若干改進,以適應台灣亞    熱帶高溫潮濕的氣候環境,經嚴格品管控制,國人所生產的環保    雷射碳粉匣,列印品質和原廠同樣清晰,且不會傷害機器。      (2)為環保盡心力:碳粉匣造成對環境的污染與日俱增,人類    應反省覺悟,我們只有一個地球,為全人類及後代子孫,保留一    個乾淨的生存環境,已到刻不容緩的地步!讓我們從校園做起,    一起來回收並使用環保雷射碳粉匣。      (3)節省列印費用:根據工商時報 90年4月12日報導指出,用    環保雷射碳粉匣可節省4成左右的費用,不必多花錢。 (二)全球趨勢分析      1999年碳粉卡匣再生回收使用比較:    歐美市場再生回收卡匣使用率 30% (約1/3)    台灣市場再生回收卡匣使用率  5%    (資料來源:Recharger期刊)      台灣約有50萬台雷射印表機,預估每年使用約100∼200萬支    雷射碳粉匣,製造出約2000∼2500公噸固體廢棄物,並且每年這    個數目正在成長。而這些塑膠廢棄物須要超過十個世紀來分解,    對台灣三萬六千平方公里的土地上,造成嚴重的負荷。      歐美各國相關環保法令強制規定製造廠商的回收比率,已行    之多年,對於回收業者也有對應的輔助政策,並不斷的教育使用    者回收、減量再利用(Recycle, Reduce, Reuse)的觀念。      事實證明,此舉不僅有助於環保且能降低支出,美國已明令    聯邦政府的各單位必須使用環保碳粉匣。 (三)對環境保護及資源回收再利用,具有正面意義       如果製造每個卡匣需要超過三夸脫油,那麼台灣每年就會    用掉近100 萬加崙的石油。如果您換買環保碳粉匣,很明確地,    您已經對保護環境做出貢獻了,因為我們的圾圾場可以減少一個    空間來存放您的卡匣。      以台灣目前使用量愈來愈多的雷射印表機而言,每天丟棄的    碳粉匣不知多少,而這些碳粉匣裡的碳粉色劑微粒,尺寸約6-12    微米,卻會滲入地下水,污染水源,若想從水中除去這些碳粉微    粒,就必須加裝特殊濾水設備,因此無論公司企業或學校及個人    都有責任一起來防止碳粉匣污染環境的工作,碳粉匣的回收再利    用,是目前的唯一途徑。 (四)環保碳粉匣之採購要點      由於市售環保碳粉匣,供應商過多,各家的品質參差不齊,    敬請認明企龍代理的環保碳粉匣,為目前台灣唯一專業導向之環    保雷射碳粉匣,品質滿意保證,不滿包退,確保消費權益,避免    買到劣質品,選擇企龍,品質有保障!    採購前務必詢問下列重要參考依據:    1.環保雷射碳粉匣,是否完全以標準製程製造? 製程中,廢碳     粉槽及相關零件是否清理乾淨並檢試元件性能?    2.儲粉槽是否完全清潔乾淨後,才重新裝填全新碳粉?    3.所充填之碳粉,是否為國際間知名碳粉廠出品?    4.所有儲粉槽,是否以封條密封,完整交付使用人?    5.碳粉匣是否通過完整而嚴格品管測試後才出廠?    6.測試用之碳粉是否為外加? 所充填的碳粉數量和原廠碳粉匣     容量是否相同,會不會短少?    7.充填之碳粉是否經過精密測試,確認比標準值高才裝填?    8.所更換之感光鼓是否為國際間知名之高科技廠牌產品?    9.碳粉匣成品是否以黑色塑膠紙實施避光包裝後,並以氣泡袋或     特殊襯墊保護,再裝入保護槽,以確保運輸途中乃至使用前,     不受任何光線其他物理性,化學性傷害?     企龍代理的環保雷射碳粉匣業已全數通過上述測試,全面實施     品質滿意保證再訂購,不滿意保證退貨! (五)價格資訊:環保雷射碳粉匣之價格已公布於網站,歡迎上網查詢         網址:http://clik.to/96969180 (六)聯絡資訊:以上資料由企龍辦公用品有限公司所提供,如需訂購         請電:(02)2701-2000我們熱誠的同仁為您服務。 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message From owner-freebsd-isp Sat Sep 22 21:11: 8 2001 Delivered-To: freebsd-isp@freebsd.org Received: from aurora.sol.net (aurora.sol.net [206.55.65.76]) by hub.freebsd.org (Postfix) with ESMTP id 70DA937B42A for ; Sat, 22 Sep 2001 21:11:06 -0700 (PDT) Received: (from jgreco@localhost) by aurora.sol.net (8.9.3/8.9.2/SNNS-1.02) id XAA43286; Sat, 22 Sep 2001 23:10:57 -0500 (CDT) From: Joe Greco Message-Id: <200109230410.XAA43286@aurora.sol.net> Subject: Re: EMERGENCY - Arp attack? Am I being DOS'd ? To: tom.oneil@tacni.com Date: Sat, 22 Sep 2001 23:10:57 -0500 (CDT) Cc: freebsd-isp@FreeBSD.ORG X-Mailer: ELM [version 2.5 PL3] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You're probably getting scanned by all the various Microsoft worms out for vulnerabilities in your systems. If you have lots of unused IP space, bound to ethernets, this leads to massive quantities of ARP. Another triumph for OSPF, /30 link nets, and severely size-limited switch networks. I haven't noticed any problems here :-) -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message