USS Clueless - Linux updates
     
     
 

Stardate 20030928.1707

(Engineering log): This server is a Cobalt Qube 3. Cobalt was one of the plethora of startups in the 1990's who were going to make a fortune off open source software, but not quite in the same way as some others. What they did was to put together complete software/hardware packages, with the OS preinstalled. In addition to the basic OS, which is more or less Red Hat Linux, and such packages as Apache and MySQL, they wrote a fair amount of other software of their own which is proprietary.

As computers go, it isn't very powerful. It's only got a 300 MHz CPU, and the CPU is K6-2. It's plenty fast enough to serve static web pages, but if I were trying to run something like Movable Type which created web pages each time they were retrieved, that poor CPU would be on its knees.

When shipped, it had 64M of RAM in it. However, I stuffed it with as much RAM as it was capable of using, 512M. Aside from that, I have made no changes to its hardware.

Relative to its raw hardware specs, I paid an extremely high price. But what I was buying was a solution, not a server. Everything was preconfigured, and Cobalt set up a whole series of special web pages (which can only be accessed if you have an account and password on the server, so don't waste your time looking for them) to permit system management. I can create and remove accounts, and in general monitor and control the system quite conveniently without having to muck around with a command line.

Part of the proprietary Cobalt software is a package called BlueLinq which is similar in many ways to Microsoft's "Windows Update". My server (known as Regulus) makes contact with Cobalt's update server on a regular basis to see whether there are any new patches available. It can be set to send email in such cases but I don't have it configured that way. When I think of it, I go to the appropriate frame and see what's there. The last time I did it was a couple of months ago at which point I had, I thought, brought it completely up to date. It said there were no remaining patches to install.

So I looked at it again today and found several new ones. In fact, after the last round of patches the system started being somewhat less reliable, and I've been having to reboot it more often to keep it working. So I can't say I was very surprised to see patches available, but I wasn't right about the reason.

I installed a couple of them, and one in particular was an update to the BlueLinq package itself. And after that, a whole bunch of new patches appeared. I ended up looking at some of the docs on the Sun/Cobalt site (Sun having acquired Cobalt a while back) and found that a lot of them were system patches dating back to early 2001, which was before I even bought the thing.

There were also three full OS updates, for OS version 6.1, 6.2 and 6.4. The 6.1 update dates to May, 2002.

A couple of the patches wouldn't install. One was an update to MySQL, and the installation just hangs, doing nothing whatever.

And when I try to install the 6.1 OS upgrade, I get told that the preparation script failed and it couldn't be installed. But it doesn't tell me any more than that, and it leaves me up a stump.

It's entirely possible that the BlueLinq package keeps more data about that in some directory somewhere, but I haven't yet started looking for that, because I've gotten distracted by something else more worrying.

While trying to get the MySQL patch to install, it occurred to me that it might be that it can't install if MySQL is actually running at the time, so I used telnet to list all the currently running processes, and indeed something was using MySQL, though I have no idea what. I killed it off and tried running the patch installation again, but it did no good.

And while looking at that, I noticed that something called "squid" was running. I hadn't ever noticed anything like that before, and it makes me extremely nervous to see programs running if I can't explain what they're doing. I've been observing behavior on this system recently which made me wonder if maybe it might be a bit out of control.

Having made myself root, I went to the top of all things and ran "find . -name squid* -print", which isn't something I like to do very often, especially if the server is online. But it showed me a bunch of stuff, including online docs, and a big cache directory. The docs had a web page URL, so I was able to learn that squid is a caching server.

In the control pages that's one of the features of the system. But in those pages, I have it disabled. There are a bunch of things I don't use and don't need, so I have them disabled: Apple File Sharing server, DNS server, DHCP server, SNMP, Windows File Sharing Server and what they refer to as "Web Caching Server". The "Active Monitor" frame shows all of those as being disabled.

But Squid seems to have been keeping logs of its activity, and some time in the middle of August it started getting used quite a lot. That's after the last time I did patches, and what I think is that somehow or other squid is now enabled even though it isn't supposed to be. And someone doing a port scan found it, and has been using my system ever since as a proxy, so as to do anonymous browsing.

More than one person, in fact; there seem to have been a lot of them. It looks as if it's kept a log of every single transaction, and as its log files got big it compressed them into .gz files. The first such file is dated 20030831, and there's been o

Captured by MemoWeb from http://denbeste.nu/cd_log_entries/2003/09/Linuxupdates.shtml on 9/16/2004