[Zope-dev] possible compromise
Paul Winkler
pw_lists at slinkp.com
Mon Oct 13 21:46:43 EDT 2003
On Mon, Oct 13, 2003 at 05:36:51PM -0700, Chris Pelton wrote:
> Hello,
>
> I'm trying to do some forensics on a redhat 6.2 box that was somehow
> turned into a mail relay and may have been compromised. The mail logs
> show the mail coming from an apache virtual host address, and this
> machine was running zope, and the list of hotfix files I see is:
>
> 5220 May 25 2001 Hotfix_2000-10-02.tar.gz
> 2800 May 25 2001 Hotfix_2000-10-11.tgz
> 3002 May 25 2001 Hotfix_2000-12-08.tgz
> 2839 May 25 2001 Hotfix_2000-12-15a.tgz
> 2386 May 25 2001 Hotfix_2000-12-18.tgz
> 1899 May 25 2001 Hotfix_2001-02-23.tgz
> 3292 May 25 2001 Hotfix_2001-03-08.tgz
> 2492 May 25 2001 Hotfix_2001-05-01.tgz
if you're worried that one of those is a trojan, you could re-download
the hotfixes here and use diff or cmp:
http://zope.org/Products/Zope/swpackage_view
> So, would anybody have any ideas how to determine if this might have
> been compromised? Or is there a known mail relay exploit through zope
> somehow?
never heard of one, but if you have a MailHost with wide open permissions
somebody could pretty easily write a client script to abuse it.
> Not sure what version of zope this is
That would be listed in the output on startup, and you can also check by
visiting http://zope_server:zope_port/Control_Panel/manage_main
--
Paul Winkler
http://www.slinkp.com
Look! Up in the sky! It's NANO PHYSICIAN!
(random hero from isometric.spaceninja.com)
More information about the Zope-Dev
mailing list