Dedicated Server Security Notice - geek/talk: Web publishing business discussion

badassbuddy · 07-10-2001, 02:51 PM

I just received the following email from Verio.

They're charging $75 for the upgrade but I gave a (struggling) buddy $25 to take care of it for me. His email is josh@strangled.net if anybody needs help.
------------------------

Dear Verio Dedicated Server Customer,

Qualcomm has recently released a security update regarding Qpopper, the
piece of software that allows you to retrieve mail from your dedicated
server. Qualcomm has released version 4.03 of Qpopper, and has stated that
all versions of Qpopper previous to 4.03 are vulnerable to remote root
exploits under Solaris and Linux. This could allow an individual to gain
unauthorized remote access to your server hosted here.

Public exploit code has been released for Linux to many newsgroups and
public forums. It has become a simple process for unauthorized individuals
to gain remote access to Linux machines. While public exploit code has not
been released for Solaris, the same vulnerability exists in the Solaris
version of Qpopper, so it could still be possible for someone to gain access
to your server even if it is running Solaris.

You are receiving this message because we have identified your machine as
one running an older version of Qpopper. While Verio is not responsible for
security updates and patches to your machine after release, we feel the
situation warrants notification to you. We'd like to make it as easy as
possible for you to upgrade, and offer our assistance in making your machine
more secure.

We will upgrade your machine to the latest version of Qpopper at a flat rate
of $75.00 US. The upgrade will involve no downtime for the machine and only
a very short downtime for the POP server itself. This may cause mail clients
to be momentarily disconnected when we stop the old version and start the
new version.

Please let us know if you have any questions regarding this upgrade or other
software upgrades that can be done to your machine. We can update any piece
of software that we support, and can generally upgrade those that you have
left 'as-installed' on the server at a low flat rate.

If you would like for us to do the work, email your request to unixadmin@dn.net.
Please state that you would like Qpopper upgraded to the latest version and
$75.00 charged to your account. Also, be sure to put DSI-serverid in the subject
(ex. DSI-linux1234). After you request the work, please expect a waiting period
of 8-12 hours as we expect a large number of customers will take advantage of
our offer.

In order to do the upgrade yourself, you will need the Qpopper source,
available from www.qualcomm.com, and some knowledge of compiling software
under UNIX. The upgrade should be fairly painless and Qpopper has no
configuration files that will need to be changed.

Thanks,

Verio Customer Support
---------------------------

Good luck guys.

Regards,
Michael http://www.badassbuddy.com

parplex · 07-12-2001, 05:24 AM

Hey, Im about to colo with Verio. Do they send those messages to people with dedicated servers from them, and how often are they sent?

badassbuddy · 07-12-2001, 01:40 PM

That's the first time I've received an email like that from them. If you're colocating, they most likely will NOT send you security update emails.

Regards,
Michael http://www.badassbuddy.com

RK · 07-15-2001, 04:34 PM

This upgrade requires about five minutes of work.

The last Qpopper vulnerability was published on June 2nd.
ONLY
Qualcomm qpopper 4.0.2
Qualcomm qpopper 4.0.1
Qualcomm qpopper 4.0
are vulnerable to this attack.
Previous versions of qpopper are not vulnerable.
As far as I know no exploit code was released.

Are Verio worried about their customers or just want to make more money?

------------------
http://www.energyhosting.com
Excellent price, reliability, flexibility, speed, support and features.

Arie · 07-16-2001, 10:06 AM

From the Eudora Web site:

Security Vulnerability
Some versions of Qpopper are vulnerable to buffer overruns. Qpopper 2.41 and older can be used to obtain root access to your system. Qpopper 2.53 and older may permit an attacker who has access to a valid account to obtain a shell with group-id 'mail', potentially allowing read/write access to all mail.
http://www.eudora.com/qpopper_general/#BUFFER

------------------
Regards,

Arie Slob,
InfiniSource, Inc.
http://www.infinisource.com
Internet & Windows Resources

07-10-2001, 02:51 PM	#1
badassbuddy Registered User Join Date: Mar 2001 Posts: 46	Dedicated Server Security Notice I just received the following email from Verio. They're charging $75 for the upgrade but I gave a (struggling) buddy $25 to take care of it for me. His email is josh@strangled.net if anybody needs help. ------------------------ Dear Verio Dedicated Server Customer, Qualcomm has recently released a security update regarding Qpopper, the piece of software that allows you to retrieve mail from your dedicated server. Qualcomm has released version 4.03 of Qpopper, and has stated that all versions of Qpopper previous to 4.03 are vulnerable to remote root exploits under Solaris and Linux. This could allow an individual to gain unauthorized remote access to your server hosted here. Public exploit code has been released for Linux to many newsgroups and public forums. It has become a simple process for unauthorized individuals to gain remote access to Linux machines. While public exploit code has not been released for Solaris, the same vulnerability exists in the Solaris version of Qpopper, so it could still be possible for someone to gain access to your server even if it is running Solaris. You are receiving this message because we have identified your machine as one running an older version of Qpopper. While Verio is not responsible for security updates and patches to your machine after release, we feel the situation warrants notification to you. We'd like to make it as easy as possible for you to upgrade, and offer our assistance in making your machine more secure. We will upgrade your machine to the latest version of Qpopper at a flat rate of $75.00 US. The upgrade will involve no downtime for the machine and only a very short downtime for the POP server itself. This may cause mail clients to be momentarily disconnected when we stop the old version and start the new version. Please let us know if you have any questions regarding this upgrade or other software upgrades that can be done to your machine. We can update any piece of software that we support, and can generally upgrade those that you have left 'as-installed' on the server at a low flat rate. If you would like for us to do the work, email your request to unixadmin@dn.net. Please state that you would like Qpopper upgraded to the latest version and $75.00 charged to your account. Also, be sure to put DSI-serverid in the subject (ex. DSI-linux1234). After you request the work, please expect a waiting period of 8-12 hours as we expect a large number of customers will take advantage of our offer. In order to do the upgrade yourself, you will need the Qpopper source, available from www.qualcomm.com, and some knowledge of compiling software under UNIX. The upgrade should be fairly painless and Qpopper has no configuration files that will need to be changed. Thanks, Verio Customer Support --------------------------- Good luck guys. Regards, Michael http://www.badassbuddy.com

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Dedicated Server Basics	wsz	Web Hosting Discussion	1	08-09-2001 12:56 AM
Do I Need a Dedicated Server?	Paperboy	Web Hosting Discussion	3	05-06-2001 01:20 PM
Possibly needing new (semi) dedicated server	Edwin	Web Hosting Discussion	7	04-10-2001 06:09 PM
CGI Usage Necessitating Dedicated Server?	wsz	Web Hosting Discussion	1	01-26-2001 05:48 PM
Server security alert ? help ?	singloon	Web Design and Webmaster Issues	0	07-20-2000 10:17 PM

07-12-2001, 05:24 AM	#2
parplex Registered User Join Date: Jun 2000 Posts: 174	Hey, Im about to colo with Verio. Do they send those messages to people with dedicated servers from them, and how often are they sent?

07-12-2001, 01:40 PM	#3
badassbuddy Registered User Join Date: Mar 2001 Posts: 46	That's the first time I've received an email like that from them. If you're colocating, they most likely will NOT send you security update emails. Regards, Michael http://www.badassbuddy.com

07-15-2001, 04:34 PM	#4
RK Registered User Join Date: Feb 2001 Posts: 61	This upgrade requires about five minutes of work. The last Qpopper vulnerability was published on June 2nd. ONLY Qualcomm qpopper 4.0.2 Qualcomm qpopper 4.0.1 Qualcomm qpopper 4.0 are vulnerable to this attack. Previous versions of qpopper are not vulnerable. As far as I know no exploit code was released. Are Verio worried about their customers or just want to make more money? ------------------ http://www.energyhosting.com Excellent price, reliability, flexibility, speed, support and features.

07-16-2001, 10:06 AM	#5
Arie Registered User Join Date: Nov 1999 Location: Malta, Europe Posts: 292	From the Eudora Web site: Security Vulnerability Some versions of Qpopper are vulnerable to buffer overruns. Qpopper 2.41 and older can be used to obtain root access to your system. Qpopper 2.53 and older may permit an attacker who has access to a valid account to obtain a shell with group-id 'mail', potentially allowing read/write access to all mail. http://www.eudora.com/qpopper_general/#BUFFER ------------------ Regards, Arie Slob, InfiniSource, Inc. http://www.infinisource.com Internet & Windows Resources