Well, on the heels of this question and my answer (which still
essentially stands ;-), SecurityFocus, operators of the excellent
Bugtraq security mailing list, have launched an Apple/Mac OS X-
focused list:
"The Focus-Apple mailing list discusses security involving hardware
and software produced by Apple or that runs on Apple platforms.
Discussion may include security assessment, planning, and
implementation for Apple technologies. This list is meant as an aid
to network and systems administrators and security professionals who
are responsible for implementing, reviewing and ensuring the security
of their Apple hosts and applications."
(And yes, I did mean to hijack this existing thread and change the
subject.)
- Dave
On May 26, 2006, at 6:35 PM, Dave Schroeder wrote:
That's the problem: these aren't "OS X" vulnerabilities. These are
generic *NIX/Linux/BSD vulnerabilities that won't really be
discussed at length in any OS X/OS X Server-specific resource.
When you run UNIX services on OS X Server, you're open to
traditional UNIX-service-type vulnerabilities, like weak passwords,
php injections in webapps, MySQL exploits, etc, etc, etc. You now
need to keep up with security announcements and best practices in a
larger world.
- Dave
On May 26, 2006, at 2:39 PM, email@hidden wrote:
I recently had one customer whose xServe was compromised by
spammers because of weak user passwords. I cleaned the files out
of /tmp and var/tmp and disabled the compromised accounts, turned
off web services and removed shell access for all other users.
(In my case web services were being used for webmail)
Do a ls -la on /tmp and /var/tmp to look for users who do not
belong. Once you identify the users you can use find to look for
any additional files.
On a related note, can anyone recommend a good security resource
that is relevant for Mac OS X? I see Apple has a security
announce list, but I am looking for a place that would discuss
these types of vulnerabilities.
Thanks
Todd
On May 19, 2006, at 2:52 PM, Marty Crouch wrote:
Hello,
Running a 10.3.9 xServe primarily for web services,
raven.webvalence.com. Mail Services are NOT enabled in the Server
Admin for this server and my intention is for Postfix to serve
only localhost sendmail requests from scripts running on this
machine.
Spammers have breached my postfix configuration and are
introducing up to thousands of messages per hour. I have attached
a snippet from the Postfix mail log. From the Postfix docs, it
seems that the log confirms that the attack is occuring in
localhost, because postfix/pickup is accepting the message from
uid = 70, which is the www user. This seems to mean that httpd is
involved in the attack or someone is logged in as www.
If my logic so far is correct, then my challenge is making the
leap from knowing that the attack is coming from a compromised
script to knowing what user account and/or software has been
compromised.
My users mostly use off-the-shelf php scripts such as wordpress,
phpbb, mambo, sunsoft, xcart.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/macos-x-server/das%
40doit.wisc.edu
