Hello, www.deploylinux.net, which uses zope as its backend, was hacked on 3:30pm Tuesday afternoon. We know this because two new users were created in the /etc/shadow file and the following email was sent: From: root <root> Message-Id: <200001182346.PAA16613@yoda.colo.jalan.com> To: dz@noxiin.com Subject: yoda.colo.jalan.com * shadow detected, no login backdoor * in.rshd (atif) installed! * bLACK pANTHER kit installed @ yoda.colo.jalan.com / 216.33.174.217 The server runs only Zope 2.1, a recent version of sendmail, ftp, and an amanda client over SSH. Everything else was disabled. While identifying the source of the breakin, we noticed that a new file had been created in one of the zope directories, and that the root history logs showed that this file had been executed. Therefore, we are trying to find out if this is an active zope exploit. The server was protected by a firewall on lower level ports other than SMTP, ftp, and http. We've removed the new users and are in the process of resecuring the box. We are interested if anyone else has seen similiar events? Hopefully this info will be beneficial to others in the community. Thanks, M. Marlowe -- Matthew Marlowe http://www.jalan.com/ (p) 909.799.3805 mmarlowe@jalan.com Jalan Network Services (f) 909.799.3285 "Quality Web Hosting, Network, Linux, and Solaris Consulting"
Matthew, We have heard of no Zope exploits... If you don't determine how it was cracked in the meantime, can you tar up the whole zope dir and send it over to us? Which ftpd were you running? Matthew Marlowe wrote:
Hello,
www.deploylinux.net, which uses zope as its backend, was hacked on 3:30pm Tuesday afternoon. We know this because two new users were created in the /etc/shadow file and the following email was sent:
From: root <root> Message-Id: <200001182346.PAA16613@yoda.colo.jalan.com> To: dz@noxiin.com Subject: yoda.colo.jalan.com * shadow detected, no login backdoor * in.rshd (atif) installed! * bLACK pANTHER kit installed @ yoda.colo.jalan.com / 216.33.174.217
The server runs only Zope 2.1, a recent version of sendmail, ftp, and an amanda client over SSH. Everything else was disabled.
While identifying the source of the breakin, we noticed that a new file had been created in one of the zope directories, and that the root history logs showed that this file had been executed. Therefore, we are trying to find out if this is an active zope exploit. The server was protected by a firewall on lower level ports other than SMTP, ftp, and http.
We've removed the new users and are in the process of resecuring the box.
We are interested if anyone else has seen similiar events? Hopefully this info will be beneficial to others in the community.
Thanks, M. Marlowe
-- Matthew Marlowe http://www.jalan.com/ (p) 909.799.3805 mmarlowe@jalan.com Jalan Network Services (f) 909.799.3285 "Quality Web Hosting, Network, Linux, and Solaris Consulting"
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
-- Chris McDonough Digital Creations, Inc. Zope - http://www.zope.org
On 1/18/00 9:55 PM, Matthew Marlowe at mmarlowe@jalan.com wrote:
Hello,
www.deploylinux.net, which uses zope as its backend, was hacked on 3:30pm Tuesday afternoon. We know this because two new users were created in the /etc/shadow file and the following email was sent:
From: root <root> Message-Id: <200001182346.PAA16613@yoda.colo.jalan.com> To: dz@noxiin.com Subject: yoda.colo.jalan.com * shadow detected, no login backdoor * in.rshd (atif) installed! * bLACK pANTHER kit installed @ yoda.colo.jalan.com / 216.33.174.217
I will have to do some research as to the "hack" that was installed, but it's very clear to me that this was done by a "script kiddie", e.g., someone who has no skill, simply runs scripts that try all the available attacks. This figures more in my response below.
The server runs only Zope 2.1, a recent version of sendmail, ftp, and an amanda client over SSH. Everything else was disabled.
Sendmail, that illustrious security hole in the making :-) Depending on what FTP server you're running there are potentially dozens of holes. Also how you're restricting Amanda could matter... Having said that, I'm not ruling out an attack via Zope, simply that we are unaware of one that could be made by anyone that did not have Manager privs already in Zope.
While identifying the source of the breakin, we noticed that a new file had been created in one of the zope directories, and that the root history logs showed that this file had been executed. Therefore, we are trying to find out if this is an active zope exploit.
This is suspicious, but not a damning thing. As I said above, this is a "script kiddie" attack, and I would be *very* surprised if anyone has developed an attack against Zope that can be "scripted". It is not, however, impossible.
The server was protected by a firewall on lower level ports other than SMTP, ftp, and http.
What does this mean exactly?
We've removed the new users and are in the process of resecuring the box.
After a compromise, no box is rescuable, period. You *must* re-install from a proven source, otherwise you risk leaving back-doors. No competent hacker would have only one.
We are interested if anyone else has seen similiar events? Hopefully this info will be beneficial to others in the community.
What we need, and please respond in private! is: FULL system configuration Full Zope configuration It's important to understand attack vectors before understanding what happened. Chris -- | Christopher Petrilli Python Powered Digital Creations, Inc. | petrilli@digicool.com http://www.digicool.com
In article <B4AA96F1.889F%petrilli@digicool.com>, Christopher Petrilli <petrilli@digicool.com> wrote:
The server runs only Zope 2.1, a recent version of sendmail, ftp, and an amanda client over SSH. Everything else was disabled.
Sendmail, that illustrious security hole in the making :-) Depending on what FTP server you're running there are potentially dozens of holes. Also how you're restricting Amanda could matter...
Also, see recent ssh advisories (eg http://www.cert.org/advisories/CA-99-15-RSAREF2.html).
participants (4)
-
Chris McDonough -
Christopher Petrilli -
Matthew Marlowe -
tsarnaļ¼ endicor.com