On Mon, Oct 13, 2003 at 05:36:51PM -0700, Chris Pelton wrote:
Hello,
I'm trying to do some forensics on a redhat 6.2 box that was somehow turned into a mail relay and may have been compromised. The mail logs show the mail coming from an apache virtual host address, and this machine was running zope, and the list of hotfix files I see is:
5220 May 25 2001 Hotfix_2000-10-02.tar.gz 2800 May 25 2001 Hotfix_2000-10-11.tgz 3002 May 25 2001 Hotfix_2000-12-08.tgz 2839 May 25 2001 Hotfix_2000-12-15a.tgz 2386 May 25 2001 Hotfix_2000-12-18.tgz 1899 May 25 2001 Hotfix_2001-02-23.tgz 3292 May 25 2001 Hotfix_2001-03-08.tgz 2492 May 25 2001 Hotfix_2001-05-01.tgz
if you're worried that one of those is a trojan, you could re-download the hotfixes here and use diff or cmp: http://zope.org/Products/Zope/swpackage_view
So, would anybody have any ideas how to determine if this might have been compromised? Or is there a known mail relay exploit through zope somehow?
never heard of one, but if you have a MailHost with wide open permissions somebody could pretty easily write a client script to abuse it.
Not sure what version of zope this is
That would be listed in the output on startup, and you can also check by visiting http://zope_server:zope_port/Control_Panel/manage_main -- Paul Winkler http://www.slinkp.com Look! Up in the sky! It's NANO PHYSICIAN! (random hero from isometric.spaceninja.com)