Webmaster Forum Rules | Posting Guide | Contact Us | Testimonials | Contributing Geek Program | Advertise on Geek/Talk
Welcome to the GeekTalk Webmaster Discussion Forums from GeekVillage.com

Click Here To Register. It's Free!

Go Back   geek/talk: Signature-free discourse for serious web publishers > YOUR FOUNDATION: Web Hosting & Domains > Web Hosting Discussion
User Name
Password
Register FAQ Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
Old 07-10-2001, 02:51 PM   #1
badassbuddy
Registered User
 
badassbuddy's Avatar
 
Join Date: Mar 2001
Posts: 46
Exclamation Dedicated Server Security Notice

I just received the following email from Verio.

They're charging $75 for the upgrade but I gave a (struggling) buddy $25 to take care of it for me. His email is josh@strangled.net if anybody needs help.
------------------------

Dear Verio Dedicated Server Customer,


Qualcomm has recently released a security update regarding Qpopper, the
piece of software that allows you to retrieve mail from your dedicated
server. Qualcomm has released version 4.03 of Qpopper, and has stated that
all versions of Qpopper previous to 4.03 are vulnerable to remote root
exploits under Solaris and Linux. This could allow an individual to gain
unauthorized remote access to your server hosted here.


Public exploit code has been released for Linux to many newsgroups and
public forums. It has become a simple process for unauthorized individuals
to gain remote access to Linux machines. While public exploit code has not
been released for Solaris, the same vulnerability exists in the Solaris
version of Qpopper, so it could still be possible for someone to gain access
to your server even if it is running Solaris.


You are receiving this message because we have identified your machine as
one running an older version of Qpopper. While Verio is not responsible for
security updates and patches to your machine after release, we feel the
situation warrants notification to you. We'd like to make it as easy as
possible for you to upgrade, and offer our assistance in making your machine
more secure.


We will upgrade your machine to the latest version of Qpopper at a flat rate
of $75.00 US. The upgrade will involve no downtime for the machine and only
a very short downtime for the POP server itself. This may cause mail clients
to be momentarily disconnected when we stop the old version and start the
new version.


Please let us know if you have any questions regarding this upgrade or other
software upgrades that can be done to your machine. We can update any piece
of software that we support, and can generally upgrade those that you have
left 'as-installed' on the server at a low flat rate.


If you would like for us to do the work, email your request to unixadmin@dn.net.
Please state that you would like Qpopper upgraded to the latest version and
$75.00 charged to your account. Also, be sure to put DSI-serverid in the subject
(ex. DSI-linux1234). After you request the work, please expect a waiting period
of 8-12 hours as we expect a large number of customers will take advantage of
our offer.


In order to do the upgrade yourself, you will need the Qpopper source,
available from www.qualcomm.com, and some knowledge of compiling software
under UNIX. The upgrade should be fairly painless and Qpopper has no
configuration files that will need to be changed.


Thanks,


Verio Customer Support
---------------------------

Good luck guys.

Regards,
Michael http://www.badassbuddy.com
badassbuddy is offline   Reply With Quote
Old 07-12-2001, 05:24 AM   #2
parplex
Registered User
 
parplex's Avatar
 
Join Date: Jun 2000
Posts: 174
Unhappy

Hey, Im about to colo with Verio. Do they send those messages to people with dedicated servers from them, and how often are they sent?
parplex is offline   Reply With Quote
Old 07-12-2001, 01:40 PM   #3
badassbuddy
Registered User
 
badassbuddy's Avatar
 
Join Date: Mar 2001
Posts: 46
Unhappy

That's the first time I've received an email like that from them. If you're colocating, they most likely will NOT send you security update emails.

Regards,
Michael http://www.badassbuddy.com
badassbuddy is offline   Reply With Quote
Old 07-15-2001, 04:34 PM   #4
RK
Registered User
 
Join Date: Feb 2001
Posts: 61
Unhappy

This upgrade requires about five minutes of work.

The last Qpopper vulnerability was published on June 2nd.
ONLY
Qualcomm qpopper 4.0.2
Qualcomm qpopper 4.0.1
Qualcomm qpopper 4.0
are vulnerable to this attack.
Previous versions of qpopper are not vulnerable.
As far as I know no exploit code was released.

Are Verio worried about their customers or just want to make more money?

------------------
http://www.energyhosting.com
Excellent price, reliability, flexibility, speed, support and features.
RK is offline   Reply With Quote
Old 07-16-2001, 10:06 AM   #5
Arie
Registered User
 
Join Date: Nov 1999
Location: Malta, Europe
Posts: 292
Unhappy

From the Eudora Web site:

Security Vulnerability
Some versions of Qpopper are vulnerable to buffer overruns. Qpopper 2.41 and older can be used to obtain root access to your system. Qpopper 2.53 and older may permit an attacker who has access to a valid account to obtain a shell with group-id 'mail', potentially allowing read/write access to all mail.

http://www.eudora.com/qpopper_general/#BUFFER

------------------
Regards,

Arie Slob,
InfiniSource, Inc.
http://www.infinisource.com
Internet & Windows Resources
Arie is offline   Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Dedicated Server Basics wsz Web Hosting Discussion 1 08-09-2001 12:56 AM
Do I Need a Dedicated Server? Paperboy Web Hosting Discussion 3 05-06-2001 01:20 PM
Possibly needing new (semi) dedicated server Edwin Web Hosting Discussion 7 04-10-2001 06:09 PM
CGI Usage Necessitating Dedicated Server? wsz Web Hosting Discussion 1 01-26-2001 05:48 PM
Server security alert ? help ? singloon Web Design and Webmaster Issues 0 07-20-2000 10:17 PM

Please support our advertisers. They ensure our survival.

All times are GMT -5. The time now is 06:21 PM.


GeekVillage.com is copyright © 1998-2015 Curiosity Cave - Science gifts for clever kids. All rights reserved.
Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.