/ So, would anybody have any ideas how to determine if this might have />>/ been compromised? Or is there a known mail relay exploit through zope />>/ somehow? I've checked system binaries and everything seems fine. None of />>/ the python files seem to have been changed since well before the />>/ relaying started. / It might help to know the version of zope which you may be able to find it in the version.txt file distributed with zope releases. That said, there hasn't been a known relay exploit to the best of my knowledge, but there are many ways to implement a web application that sends mail in zope, and it wouldn't be at all surprising if the implementation of your system was vulnerable.
Do you know enough about Zope to discuss the implementation of your web application? We can throw out a bazillion ideas but thats a painfully slow way to determine what really happened.
Unfortunately I don't know much about zope. There are several version.txt files in the tree - ./lib/python/version.txt - yields Zope 2.2.5 (source release, python 1.5.2, linux2) but there is also a Zope-2.3.3-src directory, although I don't find any binaries in there that match what look to be the running binaries. The thing is, this machine had sendmail configure for no-relay, but there were several virtual hosts in apache, and the mail was coming from one of those hosts. I'm thinking they could have just taken advantage of some Zope functionality, not necessarily a break-in? Thanks again, Chris
What I believe that happened in the case of the missuse of our servers is something like. - On server A we have zope running behind Apache as a proxy. Somebody found this out in an unnown (to me) way. - Our c-net was scanned for a MTA and server B was found (which only accepts mail from its own c-net - now the abuser sends http request to A requesting to forward to port 25 on server B. Since these requests ar now from within B's own c-net, they are accepted. Robert Am Dienstag, 14. Oktober 2003 21:51 schrieb Chris Pelton:
/ So, would anybody have any ideas how to determine if this might have
/>>/ been compromised? Or is there a known mail relay exploit through zope />>/ somehow? I've checked system binaries and everything seems fine. None of />>/ the python files seem to have been changed since well before the />>/ relaying started. /
It might help to know the version of zope which you may be able to find it in the version.txt file distributed with zope releases. That said, there hasn't been a known relay exploit to the best of my knowledge, but there are many ways to implement a web application that sends mail in zope, and it wouldn't be at all surprising if the implementation of your system was vulnerable.
Do you know enough about Zope to discuss the implementation of your web application? We can throw out a bazillion ideas but thats a painfully slow way to determine what really happened.
Unfortunately I don't know much about zope. There are several version.txt files in the tree -
./lib/python/version.txt - yields Zope 2.2.5 (source release, python 1.5.2, linux2)
but there is also a Zope-2.3.3-src directory, although I don't find any binaries in there that match what look to be the running binaries.
The thing is, this machine had sendmail configure for no-relay, but there were several virtual hosts in apache, and the mail was coming from one of those hosts. I'm thinking they could have just taken advantage of some Zope functionality, not necessarily a break-in?
Thanks again, Chris
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
-- mit freundlichen GrĂ¼ssen Robert Rottermann www.redCOR.ch
Yes, that's what I'm thinking happened here, but I need to verify that was the case. Are there any logs in zope that could help track this down, or a known configuration that would allow it to happen? Also, for future reference, can we disable this? Any ideas how someone might be able to tell Zope is running? -Chris robert wrote:
What I believe that happened in the case of the missuse of our servers is something like. - On server A we have zope running behind Apache as a proxy. Somebody found this out in an unnown (to me) way. - Our c-net was scanned for a MTA and server B was found (which only accepts mail from its own c-net - now the abuser sends http request to A requesting to forward to port 25 on server B. Since these requests ar now from within B's own c-net, they are accepted.
Robert
Am Dienstag, 14. Oktober 2003 21:51 schrieb Chris Pelton:
/ So, would anybody have any ideas how to determine if this might have
/>>/ been compromised? Or is there a known mail relay exploit through zope />>/ somehow? I've checked system binaries and everything seems fine. None of />>/ the python files seem to have been changed since well before the />>/ relaying started. /
It might help to know the version of zope which you may be able to find it in the version.txt file distributed with zope releases. That said, there hasn't been a known relay exploit to the best of my knowledge, but there are many ways to implement a web application that sends mail in zope, and it wouldn't be at all surprising if the implementation of your system was vulnerable.
Do you know enough about Zope to discuss the implementation of your web application? We can throw out a bazillion ideas but thats a painfully slow way to determine what really happened.
Unfortunately I don't know much about zope. There are several version.txt files in the tree -
./lib/python/version.txt - yields Zope 2.2.5 (source release, python 1.5.2, linux2)
but there is also a Zope-2.3.3-src directory, although I don't find any binaries in there that match what look to be the running binaries.
The thing is, this machine had sendmail configure for no-relay, but there were several virtual hosts in apache, and the mail was coming from one of those hosts. I'm thinking they could have just taken advantage of some Zope functionality, not necessarily a break-in?
Thanks again, Chris
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
On Tue, 2003-10-14 at 16:08, Chris Pelton wrote:
Yes, that's what I'm thinking happened here, but I need to verify that was the case. Are there any logs in zope that could help track this down, or a known configuration that would allow it to happen? Also, for future reference, can we disable this? Any ideas how someone might be able to tell Zope is running?
I believe that the scenario Robert is describing does not actually involve Zope at all; rather, (in this scenario) Apache is willing to forward arbitrary traffic, via the 'CONNECT' verb. Check your Apache access logs for the HTTP verb, 'CONNECT'. Squid's default configs have specific settings to allow CONNECT only for HTTPS; I'm guessing that your Apache config might need to be tweaked likewise.
robert wrote:
What I believe that happened in the case of the missuse of our servers is something like. - On server A we have zope running behind Apache as a proxy. Somebody found this out in an unnown (to me) way. - Our c-net was scanned for a MTA and server B was found (which only accepts mail from its own c-net - now the abuser sends http request to A requesting to forward to port 25 on server B. Since these requests ar now from within B's own c-net, they are accepted.
Robert
Am Dienstag, 14. Oktober 2003 21:51 schrieb Chris Pelton:
/ So, would anybody have any ideas how to determine if this might have
/>>/ been compromised? Or is there a known mail relay exploit through zope />>/ somehow? I've checked system binaries and everything seems fine. None of />>/ the python files seem to have been changed since well before the />>/ relaying started. /
It might help to know the version of zope which you may be able to find it in the version.txt file distributed with zope releases. That said, there hasn't been a known relay exploit to the best of my knowledge, but there are many ways to implement a web application that sends mail in zope, and it wouldn't be at all surprising if the implementation of your system was vulnerable.
Do you know enough about Zope to discuss the implementation of your web application? We can throw out a bazillion ideas but thats a painfully slow way to determine what really happened.
Unfortunately I don't know much about zope. There are several version.txt files in the tree -
./lib/python/version.txt - yields Zope 2.2.5 (source release, python 1.5.2, linux2)
but there is also a Zope-2.3.3-src directory, although I don't find any binaries in there that match what look to be the running binaries.
The thing is, this machine had sendmail configure for no-relay, but there were several virtual hosts in apache, and the mail was coming from one of those hosts. I'm thinking they could have just taken advantage of some Zope functionality, not necessarily a break-in?
Thanks again, Chris
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
-- =============================================================== Tres Seaver tseaver@zope.com Zope Corporation "Zope Dealers" http://www.zope.com
On Tue, Oct 14, 2003 at 04:18:17PM -0400, Tres Seaver wrote:
On Tue, 2003-10-14 at 16:08, Chris Pelton wrote:
Yes, that's what I'm thinking happened here, but I need to verify that was the case. Are there any logs in zope that could help track this down, or a known configuration that would allow it to happen? Also, for future reference, can we disable this? Any ideas how someone might be able to tell Zope is running?
I believe that the scenario Robert is describing does not actually involve Zope at all; rather, (in this scenario) Apache is willing to forward arbitrary traffic, via the 'CONNECT' verb. Check your Apache access logs for the HTTP verb, 'CONNECT'. Squid's default configs have specific settings to allow CONNECT only for HTTPS; I'm guessing that your Apache config might need to be tweaked likewise.
Yup, I don't think zope even *can* do something like that. I was guessing that the exploit was at the application level - somebody found a MailHost with wide-open permissions and abused it with a client script. -- Paul Winkler http://www.slinkp.com Look! Up in the sky! It's THE INTOXICATED GIRL! (random hero from isometric.spaceninja.com)
Thanks for all the help - it was indeed Apache. The older relay messages did have the CONNECT verb in the logs, however the most recent ones simply used the formmail.pl which was readily available. Didn't mean to blame Zope for all of this - just the piece of the puzzle I understood the least. Thanks again, Chris Tres Seaver wrote:
On Tue, 2003-10-14 at 16:08, Chris Pelton wrote:
Yes, that's what I'm thinking happened here, but I need to verify that was the case. Are there any logs in zope that could help track this down, or a known configuration that would allow it to happen? Also, for future reference, can we disable this? Any ideas how someone might be able to tell Zope is running?
I believe that the scenario Robert is describing does not actually involve Zope at all; rather, (in this scenario) Apache is willing to forward arbitrary traffic, via the 'CONNECT' verb. Check your Apache access logs for the HTTP verb, 'CONNECT'. Squid's default configs have specific settings to allow CONNECT only for HTTPS; I'm guessing that your Apache config might need to be tweaked likewise.
robert wrote:
What I believe that happened in the case of the missuse of our servers is something like. - On server A we have zope running behind Apache as a proxy. Somebody found this out in an unnown (to me) way. - Our c-net was scanned for a MTA and server B was found (which only accepts mail from its own c-net - now the abuser sends http request to A requesting to forward to port 25 on server B. Since these requests ar now from within B's own c-net, they are accepted.
Robert
Am Dienstag, 14. Oktober 2003 21:51 schrieb Chris Pelton:
/ So, would anybody have any ideas how to determine if this might have
/>>/ been compromised? Or is there a known mail relay exploit through zope />>/ somehow? I've checked system binaries and everything seems fine. None of />>/ the python files seem to have been changed since well before the />>/ relaying started. /
It might help to know the version of zope which you may be able to find it in the version.txt file distributed with zope releases. That said, there hasn't been a known relay exploit to the best of my knowledge, but there are many ways to implement a web application that sends mail in zope, and it wouldn't be at all surprising if the implementation of your system was vulnerable.
Do you know enough about Zope to discuss the implementation of your web application? We can throw out a bazillion ideas but thats a painfully slow way to determine what really happened.
Unfortunately I don't know much about zope. There are several version.txt files in the tree -
./lib/python/version.txt - yields Zope 2.2.5 (source release, python 1.5.2, linux2)
but there is also a Zope-2.3.3-src directory, although I don't find any binaries in there that match what look to be the running binaries.
The thing is, this machine had sendmail configure for no-relay, but there were several virtual hosts in apache, and the mail was coming from one of those hosts. I'm thinking they could have just taken advantage of some Zope functionality, not necessarily a break-in?
Thanks again, Chris
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Chris Pelton wrote:
Yes, that's what I'm thinking happened here, but I need to verify that was the case. Are there any logs in zope that could help track this down, or a known configuration that would allow it to happen?
Several, the most common is people using mod_proxy incorrectly. Look for a ProxyRequests directive in your Apache config, if it exists and is on, chances are you have misconfigured Apache. Direct use of mod_proxy's directives is never necessary to use Zope.
Any ideas how someone might be able to tell Zope is running?
You mean how somebody could fingerprint you from the outside? Well the Server header in the http response is the most obvious way, but certainly not the only one, zope's fingerprint is very distinct because of acquisition and its numerous management interfaces. -- Jamie Heilman http://audible.transient.net/~jamie/ "Most people wouldn't know music if it came up and bit them on the ass." -Frank Zappa
participants (5)
-
Chris Pelton -
Jamie Heilman -
Paul Winkler -
robert -
Tres Seaver