Hello, I'm trying to do some forensics on a redhat 6.2 box that was somehow turned into a mail relay and may have been compromised. The mail logs show the mail coming from an apache virtual host address, and this machine was running zope, and the list of hotfix files I see is: 5220 May 25 2001 Hotfix_2000-10-02.tar.gz 2800 May 25 2001 Hotfix_2000-10-11.tgz 3002 May 25 2001 Hotfix_2000-12-08.tgz 2839 May 25 2001 Hotfix_2000-12-15a.tgz 2386 May 25 2001 Hotfix_2000-12-18.tgz 1899 May 25 2001 Hotfix_2001-02-23.tgz 3292 May 25 2001 Hotfix_2001-03-08.tgz 2492 May 25 2001 Hotfix_2001-05-01.tgz 30720 May 25 2001 hotfix.tar So, would anybody have any ideas how to determine if this might have been compromised? Or is there a known mail relay exploit through zope somehow? I've checked system binaries and everything seems fine. None of the python files seem to have been changed since well before the relaying started. Not sure what version of zope this is - it was built locally, not an rpm. Thanks in advance, Chris Pelton
Chris Pelton wrote:
So, would anybody have any ideas how to determine if this might have been compromised? Or is there a known mail relay exploit through zope somehow? I've checked system binaries and everything seems fine. None of the python files seem to have been changed since well before the relaying started.
It might help to know the version of zope which you may be able to find it in the version.txt file distributed with zope releases. That said, there hasn't been a known relay exploit to the best of my knowledge, but there are many ways to implement a web application that sends mail in zope, and it wouldn't be at all surprising if the implementation of your system was vulnerable. Do you know enough about Zope to discuss the implementation of your web application? We can throw out a bazillion ideas but thats a painfully slow way to determine what really happened. -- Jamie Heilman http://audible.transient.net/~jamie/ "You came all this way, without saying squat, and now you're trying to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile? I liked you better when you weren't saying squat kid." -Buddy
On Mon, Oct 13, 2003 at 05:36:51PM -0700, Chris Pelton wrote:
Hello,
I'm trying to do some forensics on a redhat 6.2 box that was somehow turned into a mail relay and may have been compromised. The mail logs show the mail coming from an apache virtual host address, and this machine was running zope, and the list of hotfix files I see is:
5220 May 25 2001 Hotfix_2000-10-02.tar.gz 2800 May 25 2001 Hotfix_2000-10-11.tgz 3002 May 25 2001 Hotfix_2000-12-08.tgz 2839 May 25 2001 Hotfix_2000-12-15a.tgz 2386 May 25 2001 Hotfix_2000-12-18.tgz 1899 May 25 2001 Hotfix_2001-02-23.tgz 3292 May 25 2001 Hotfix_2001-03-08.tgz 2492 May 25 2001 Hotfix_2001-05-01.tgz
if you're worried that one of those is a trojan, you could re-download the hotfixes here and use diff or cmp: http://zope.org/Products/Zope/swpackage_view
So, would anybody have any ideas how to determine if this might have been compromised? Or is there a known mail relay exploit through zope somehow?
never heard of one, but if you have a MailHost with wide open permissions somebody could pretty easily write a client script to abuse it.
Not sure what version of zope this is
That would be listed in the output on startup, and you can also check by visiting http://zope_server:zope_port/Control_Panel/manage_main -- Paul Winkler http://www.slinkp.com Look! Up in the sky! It's NANO PHYSICIAN! (random hero from isometric.spaceninja.com)
Never heard of such an abuse neither. Only we are victim of one such. So I would be interessted in any findings Robert Am Dienstag, 14. Oktober 2003 03:46 schrieb Paul Winkler:
On Mon, Oct 13, 2003 at 05:36:51PM -0700, Chris Pelton wrote:
Hello,
I'm trying to do some forensics on a redhat 6.2 box that was somehow turned into a mail relay and may have been compromised. The mail logs show the mail coming from an apache virtual host address, and this machine was running zope, and the list of hotfix files I see is:
5220 May 25 2001 Hotfix_2000-10-02.tar.gz 2800 May 25 2001 Hotfix_2000-10-11.tgz 3002 May 25 2001 Hotfix_2000-12-08.tgz 2839 May 25 2001 Hotfix_2000-12-15a.tgz 2386 May 25 2001 Hotfix_2000-12-18.tgz 1899 May 25 2001 Hotfix_2001-02-23.tgz 3292 May 25 2001 Hotfix_2001-03-08.tgz 2492 May 25 2001 Hotfix_2001-05-01.tgz
if you're worried that one of those is a trojan, you could re-download the hotfixes here and use diff or cmp: http://zope.org/Products/Zope/swpackage_view
So, would anybody have any ideas how to determine if this might have been compromised? Or is there a known mail relay exploit through zope somehow?
never heard of one, but if you have a MailHost with wide open permissions somebody could pretty easily write a client script to abuse it.
Not sure what version of zope this is
That would be listed in the output on startup, and you can also check by visiting http://zope_server:zope_port/Control_Panel/manage_main
-- mit freundlichen GrĂ¼ssen Robert Rottermann www.redCOR.ch
participants (4)
-
Chris Pelton -
Jamie Heilman -
Paul Winkler -
robert